Ghostwriter: 2020 Feature Update

We introduced Ghostwriter in July 2019 when we felt it was a good v1.0, but active development never slowed. If you missed the release at Black Hat Arsenal 2019, checkout Ghostwriter here first:

https://posts.specterops.io/introducing-ghostwriter-part-1-61e7bd014aff

A lot has changed in the past six months so let’s dive into some of the most exciting changes for 2020.

WYSIWYG Editor

Easily the biggest change is the addition of a WYSIWYG editor. Ghostwriter now uses TinyMCE for editing findings and notes. TinyMCE is widely used in products like WordPress and integrates well with Django.

New WYSIWYG editor with example formatting applied

This was a heavy lift that required testing multiple editors and figuring out how to best convert the WYSIWYG HTML to the various reporting formats (e.g., Office XML). Originally, we stated this feature was a low priority; however, it really needed to be in place early to reduce how much work would need to be done by current users to convert findings that used Ghostwriter’s original template keywords to the new WYSIWYG editor.

Adding the WYSIWYG editor also removed the bulk of the template keywords. These keywords drew some ire due their tendency to make text uglier, and they frustrated users when a typo broke their formatting. The only keywords that remain in Ghostwriter are the client, caption, and evidence keywords. Everything else is handled by the editor and carried over into reports.

Evidence files are still handled the same way, but Ghostwriter has some new tricks. First, Ghostwriter’s new editor has an autocomplete function. Begin typing @{ to see a full list of available template tags (e.g., evidence files and text replacement tags). Select the one you want and press your Enter key to automatically insert the tag.

Users also have the option of inserting image files into the WYSIWYG editor. While any remote image file can be inserted, only files attached to the finding will make it into the reports. Users can take the link for image evidence and insert the image into the editor to view their image inline with their text. This is a nice convenience feature that may be built out more in the future. For now, it can help users better visualize what the finding will look like in the report.

Report Updates

The docx, pptx, and xlsx reports have all been greatly improved. The Word reports will now omit tables if they will be empty. Lists are also now properly spaced. Many users may not have noticed that list items had just a little more padding than usual. We dug into the XML of a docx document and found this setting, usually applied by default to lists, appears in the XML as <w:contextualSpacing>.

Word’s default list, and semi-hidden, spacing style

Whenever you format something as a numbered or bulleted list in Ghostwriter, that XML node will be added to the list’s XML. It is a subtle change but part of our efforts to make Ghostwriter’s output as close as possible to what would be generated if a user created the same report within Word.

For Excel spreadsheets, Ghostwriter used to omit evidence files which could lead to text referencing something that just wasn’t there. Now evidence will be replaced with a placeholder like this:

<See Report for Evidence File: Enigma0x3>
Caption — Matt Nelson’s Latest Privilege Escalation Exploit

Furthermore, there is a new column called Supporting Evidence that will contain a list of the evidence files referenced by the other fields. These changes, along with other formatting improvements, should make these documents more useful.

Finally, PowerPoint slide deck creation is much, much better. Previously, the slide contained bullets but they weren’t recognized as true bullets in PowerPoint and could not be programmatically indented. Now, all text in the finding’s Description field will be included in a slide as proper bullets. Lists are added with one level of indentation, so they still stand out as separate lists. All other fields are included in the slide’s notes for easy reference.

Additionally, Ghostwriter now adds code blocks and evidence files as separate text areas and images. These evidence files and log/code examples will be available for users to move around and edit as needed for their slide decks.

Data Import/Export

A fine partner to the new editor is the new import and export feature for findings. Ghostwriter has always enabled the bulk importing of findings, but this process has been enhanced. The updated sidebar has a new Export Findings option that will dump the complete findings library into a csv file.

New Export Findings option

This is a great way to dump the library, complete mass edits (delete all of the old template tags, maybe?), and then import all the changes at once. Also, a new bulk import option has also been introduced for administrators.

When viewing the findings library in the admin panel, administrators will see new Import and Export buttons. The Export button gives administrators the option of exporting findings in json, HTML, yaml, odt, tsv, xls, xlsx, and csv formats. The Import button opens a panel where any of those export formats can be imported. This enables a lot of flexibility for mass library updates.

Import preview showing deletions and additions

Even better, the import function goes beyond just blindly importing changes. Ghostwriter will display each entry being imported and highlight all of the changes for review.

This feature will be rolled out to other database models in the future.

Updates to Domain Tracking

Ghostwriter now tracks the registrar auto-renew statuses for all domains in the domain library. This is a small addition that offers some big quality of life improvements. For example, it is now easy to programmatically determine if a domain is really expired or the recorded expiration date just needs to be incremented by one year.

Expiration date automatically updated for 2020

We added a new background task to do exactly that. Users can configure ghostwriter.shepherd.tasks.check_expiration to run every day to mark domains as expired when the expiration date is in the past and auto-renew is disabled. If a domain comes up as expired and is configured for auto-renewal the task will add one year to the expiration date.

Adding Auxiliary Server Addresses

A project’s infrastructure tracking table showing all addresses

Ghostwriter’s first version of infrastructure tracking allowed for one IP address to be supplied for a server. A single server can have more than one IP address, but we intended users to track external IP addresses here and usually each server will have just one external address that is relevant to the project. This design assumption caused a couple of UX issues.

The latest version of Ghostwriter enables users to add auxiliary addresses to a server. Add as many additional private/external IPv4 or IPv6 addresses as desired. Any of these addresses can be marked as the primary address for the server. The primary address will be displayed on the server’s details page and in a project’s infrastructure section as the server’s Primary IP Address. All other associated IP addresses will be displayed next to it.

Anther quality of life improvement feature is the copy button. Clicked the copy button next to these IP addresses will copy it to your clipboard.

Miscellaneous Tweaks

One of the UI/UX improvements made to the report library

Ghostwriter has received a multitude of other tweaks and improvements. The latest changes should alleviate some of the struggles reported by users. The biggest UX issue involved new users having a hard time understanding how to start editing a report. It was not always clear which report had been selected when a user tried to add a finding to a report. The latest updates should help with that.

Future Plans

We have a long list of updates and new features planned for various pieces of Ghostwriter. For now, we have placed priority on developing activity logging for operator actions and deconfliction. We are also working on a quality assurance process for edits to the findings library and individual reports.

Our first goal is to create a new application to capture operator actions, context around those actions, and comments. We are also working on automating much of this via API endpoints and communication with Command and Control frameworks like Covenant, Apfell, and Cobalt Strike. These features are still in their pre-planning and early development stages, but we hope to have more to talk about soon.

For QA, we want to enable a team’s Ghostwriter administrators (e.g., leadership) to “bless” findings. These blessed findings will be marked as such, indicating they represent the team’s latest views and recommendations for that issue. Significant edits to a blessed finding will cause the finding to be flagged for review. This way everyone is empowered to fix a typo or small grammatical error, but bigger changes don’t make their way into the library without a nod of approval.

Expect this and much more to begin rolling out in 2020!

Ghostwriter: 2020 Feature Update was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: https://posts.specterops.io/ghostwriter-2020-feature-update-1cb8348f48a3?source=rss----f05f8696e3cc---4