Releases: GhostManager/cobalt_sync
cobalt_sync v2.0.5
Summary
This release updates cobalt_sync to work with the new Cobalt Strike v4.12 and adds functionality to use Ghostwriter's setTags mutation to set tags on log entries.
CHANGELOG
[2.0.5] - 01 December 2025
Changed
- Updated the cobalt_parser to handle new
<task val>fields in Cobalt Strike 4.12 logs - Updated the cobalt_web to create tags in Ghostwriter based on the MITRE fields from Cobalt Strike logs
- Updated the cobalt_web to set the new task identifiers from CS4.12 in the output field in Ghostwriter logs
cobalt_sync v2.0.4
a859d0e
chrismaddalena
Christopher Maddalena
Summary
Small update to improve functionality and reliability.
CHANGELOG
[2.0.3] - 05 January 2024
Changed
- Updated the logic for hash checking within cobalt_parser to track seen hashes first and optionally remove them if they fail to send
- This prevents an issue where repeated writes to a file within a short timeframe (1s) caused duplicate entries sent
- Updated cobalt_web's hash creator to sort dictionary keys for a more consistent check
cobalt_sync v2.0.3
Summary
This release fixes a potential issue that could cause duplicate log entries when Cobalt Strike writes to a log file multiple times in under a second.
CHANGELOG
[2.0.3] - 05 January 2024
Changed
- Updated the logic for hash checking within cobalt_parser to track seen hashes first and optionally remove them if they fail to send
- This prevents an issue where repeated writes to a file within a short timeframe (1s) caused duplicate entries sent
- Updated cobalt_web's hash creator to sort dictionary keys for a more consistent check
cobalt_sync v2.0.2
Summary
This release includes changes to eliminate the log entry duplication that could occur and add additional information about new callbacks.
Note: This release will only work with Ghostwriter >=v4.0.3!
CHANGELOG
[2.0.2] - 08 December 2023
Changed
- Added in a webhook notification for when everything is successfully connected and when there are errors
- error messages are limited to 1 per 30 min to help prevent spam
- These use the
WEBHOOK_DEFAULT_URLandWEBHOOK_DEFAULT_ALERT_CHANNELenvironment variables- Note: No
#needed for the channel, that's automatically applied
- Note: No
- Updated the messages that go to Ghostwriter:
- Destination IP is now left blank
- Source is now of the format: HOSTNAME (Internal IP)
- New callbacks have more information in their Description field and other fields left blank
- Task events now also have the PID and Callback BeaconID listed
cobalt_sync v2.0.1
ec3ed8c
chrismaddalena
Christopher Maddalena
Summary
This is a small release that sets file size limits on the container logs to address situations where unchecked issues could create very large log files given enough time.
CHANGELOG
[2.0.1] - 15 November 2023
Changed
- Added a limit to the log size to prevent the log file from growing too large
cobalt_sync v2.0.0
Summary
This release significantly changes how cobalt_sync works to make it better, more reliable, and compatible with Ghostwriter v4.0.0 and later.
CHANGELOG
[2.0.0] - 20 September 2023
Added
- Added
cobalt_parser, a golang program to parse and monitor Cobalt Strike logs and ship parsed events to a web server - Added
cobalt_web, a Python web server that accepts cobalt events and posts them to Ghostwriter's v4 GraphQL endpoint - Added a Redis service container that functions a database to store hashes of Cobalt Strike messages to prevent duplicates
Changed
cobalt_syncnow syncs activities via Ghostwriter's GraphQL API
Removed
- Removed use of the legacy Ghostwriter REST API (removed in Ghostwriter v4)
cobalt_sync v1.0.0
Summary
This is the initial version of cobalt_sync committed initially on 29 October 2021 for Ghostwriter v2.