Ghostwriter: The SpecterOps project management and reporting engine

Ghostwriter

Ghostwriter is a part of your team. It helps you manage clients, projects, reports, and infrastructure in one application. It does not replace some of the more common or traditional project management tools, such as CRMs, but it does consolidate all relevant project information in a way for users to easily curate every aspect of their projects.

Ghostwriter uses the Django Q project queuing and managing background tasks. Django Q hands-off tasks to the Redis server (already installed and running in Docker).

Tasks are defined in the tasks.py file. These tasks can be executed on-demand or on a schedule.

Tasks can be queued in a few different ways:

• Schedule tasks to execute in the future and on a recurring schedule with Django Q.

• Use the buttons (various) in Ghostwriter’s web interface.

• Use a REST API endpoint (not yet available).

Ghostwriter helps you manage and monitor covert infrastructure, including servers and domain names. Tracking infrastructure in Ghostwriter creates a historical record of how and when your infrastructure is used.

Additionally, the infrastructure manager can be set up to monitor infrastructure for changes in domain categories and open ports/services exposed to the general internet.

Ghostwriter’s primary goal is bringing all of your operational data together in one place and create relationships. A starting point is needed to accomplish this goal. For Ghostwriter, that starting point is a client.

The basic workflow looks like this:

1. Create a new client, or open an existing client

2. Review points of contact for the client and add/edit as needed

3. Create a project under the client

4. Checkout servers and domain names for the new project

5. Create links between domain names, subdomains, and servers

At this stage your project proceeds until it’s time to begin noting observations:

1. Create one or more reports for the new project

2. Browse the database of findings/observations and add some to the report

3. Attach evidence files to the new finding

4. Return to step 2

That’s all there is to the basic procedures and their required order of precedence.

At the end of a project, a project manager or assessment lead should mark a project as complete. This is done by clicking the In Progress toggle below the project’s name on the project’s detail page.

Marking a project as complete begins a 90-day countdown to archiving. If the archive task has been configured (see Background Tasks), Ghostwriter will perform a daily check to see if any complete projects are 90 days old (or older) and archive them.

Archiving involves the following actions:

• Mark all reports under the project to Complete (if they were not marked as such already)

• Mark all reports under the project as archived

• Generate all report types

• Bundle all reports and evidence files into a zip file

• Add a record to the Archive model for the client and project with the report archive file

• Mark the project as archived

• Delete all report data

The archive file is available for download under /reporting/reports/archive. You can leave them or perform any actions required by your company’s data retention policies (e.g. download the archive and then delete it from Ghostwriter).

Once archived, the project and reports can no longer be edited, so they now exist only as a historical record.

Copyright (c) 2019, Chris Maddalena