Currently, two different C2 frameworks can easily integrate with Ghostwriter’s GraphQL API: Mythic and Cobalt Strike. These utilities automatically create and update log entries. You can also write scripts to integrate other frameworks and tools. All you need to get started is an automation token.Documentation Index
Fetch the complete documentation index at: https://specterops-2-feature-scoped-api-tokens.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Obtaining an Automation Token
For operation-log syncing, prefer a scoped service token when the integration supports it. A service token can be limited to one operation log and its entries, so the automation does not inherit all permissions from the user who created the token. Use an API token only when the automation should act as your user account and inherit your current permissions. For custom logging tools, you can also consider using thelogin action with the API, but generated API tokens or service tokens are usually a better fit for long-running automation.
Read more about this process here:
Authentication
User Profile and Tokens
Setting up Syncing with Cobalt Strike
GitHub - GhostManager/cobalt_sync
Standalone Cobalt Strike operation logging Aggressor script for Ghostwriter 2.0+ Note: Cobalt Strike does not associate console output with the original command. Therefore, cobalt_sync cannot automatically complete the output fields for log entries. Job IDs may be available for CObalt Strike in the future.
Setting up Syncing with Mythic
GitHub - GhostManager/mythic_sync
Standalone Mythic C2 operation logging script for Ghostwriter v2.0+ Note: Since Mythic associates output with the original command, the mythic_sync project will retroactively update previous log entries when output is received. This will overwrite any additional context added to the original entry within Ghostwriter before the new output was received.