its-a-feature / cobalt_sync

Standalone Cobalt Strike operation logging Aggressor script for Ghostwriter 2.0+

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

cobalt_sync

Standalone Cobalt Strike Operation Logging Aggressor script for Ghostwriter 2.0+

Authors: Daniel Heinsen and Andrew Chiles of SpecterOps

Usage

  1. Modify variables in oplog.cna with the appropriate values for your environment.

     ###########################################
     $oplog::GhostwriterOplogURL = "<https://ghostwriter.local>"; # No trailing /
     $oplog::GhostwriterOplogID = "<ID>";
     $oplog::GhostwriterOplogAPIKey = "<API KEY>";
     ###########################################
    
  2. Execute oplog.cna via agscript on your teamserver to report activity from all operators on the teamserver.

  3. Verify a new entry was created in your Ghostwriter oplog. If not, check your Event Log and script console for connection or authentication errors.

Troubleshooting

  • Ensure the teamserver where cobalt_sync (oplog.cna) is running has network access to Ghostwriter.
  • Ensure the OplogID and OplogAPI key are correct for the provided Ghostwriter URL

References

About

Standalone Cobalt Strike operation logging Aggressor script for Ghostwriter 2.0+

License:BSD 3-Clause "New" or "Revised" License