Ghostwriter v6.3.4

Summary

This is a small release with some improvements for the integration with BloodHound Enterprise.

CHANGELOG

[6.3.4] - 24 April 2026

Added

• Added is_tier_zero to BloodHound Enterprise findings for easy tier zero identification

Fixed

• Fixed an edge case with LargeDefaultGroup findings from BloodHound Enterprise that could cause a source/target pairing to have an incorrect severity assigned

Ghostwriter v6.3.3

Summary

A small release for some bug fixes.

CHANGELOG

[6.3.3] - 23 April 2026

Fixed

• Fixed an issue in the BloodHound Enterprise findings parser that could cause an incorrect severity calculation
• Fixed the primary field not being available for client contacts for all users when creating via the GraphQL API (Fixes #880)

Ghostwriter v6.3.2

Summary

This release primarily makes changes to the BloodHound integration to address some edge cases and clarify permission boundaries.

CHANGELOG

[6.3.2] - 21 April 2026

Changed

• The BloodHound global server configuration now has an explicit flag to be set that allows it to be used as a fallback for projects
  • Defaults to off so the configuration is more explicitly opt-in
  • Previously, the fallback was implicit when you configured the global server
• Adjusted permissions for triggering a global BloodHound data fetch
  • Changed from any authenticated user to users with access to a project using the global configuration or privileged users
• Changed some Cypher queries to use count() to avoid potential issues with very large environments
• Pinned base images for containers to specific versions for reliability (e.g., node:25 to node:25.9.0)
• Adjusted the collection of users with pwdlastset older than 90 days to only include enabled users

Fixed

• Fixed the BloodHound API fields being required when trying to create a project via the GraphQL API (Fixes #877)

Ghostwriter v6.3.1

Summary

This release fixes some bugs and cleans up some issues with edge cases to improve reliability in various areas. It also introduces improved control over evidence width and alignment for the global report configuration and individual report templates.

CHANGELOG

[6.3.1] - 17 April 2026

Added

• Control Over Max File Size: Added GHOSTWRITER_MAX_FILE_SIZE to manage the maximum file size for uploads
  • This new value defaults to 10MB and can be controlled via Ghostwriter CLI
  • The value limits the size of evidence and terminal recording uploads and downloads
  • These files load into memory for certain actions (e.g., recording playback, base64-encoding) and this guards against extremely large files using excessive system resources

Changed

• Better Control Over Image Evidence Display: Global and template values for controlling evidence width and alignment
  • Previously, you could only set image width on a template and images were always center aligned
  • Width and alignment are now global report configuration values and template configuration values
  • Ghostwriter uses the global value unless a template has its own values set
  • If no width value is set inn either location, Ghostwriter defaults to 6.5" (full width for a default Word document)
• Offloaded alignment of code blocks for text evidence to the CodeBlock style in the template
  • Previously, Ghostwriter always set code blocks to be left aligned
  • Ghostwriter will now set left alignment only if the CodeBlock style is missing
  • The CodeBlock style's alignment configuration will determine the block's alignment
• The MOTD banner's banner_link field is now a URL field and applies URL validation
• Set a max upload size for evidence as a guard against very large uploads
• The collaborative editor's color picker now validates color values
• Added sanitization to strip some characters from the export filenames for operation logs for safer exports
• The start script for Django will now run the migrate_totp_device to migrate MFA records set up prior to v6.1
• Restricted links in the collaborative editor to valid URL schemes (e.g., http, https, mailto)
• Changed the to_datetime filter to not require a format string
  • The filter will now automatically match a format string with Django's DATE_INPUT_FORMATS when a format string is not provided
• Adjusted tag autocomplete to only offer tags already applied to objects to which the user has access

Fixed

• Fixed MFA recovery codes not displaying when they should
• Fixed an issue that could occur when rendering a report with a table that was missing table tags
• Fixed a report generation endpoint that did not properly redirect when the report did not exist
• Fixed sanitizing the identifier on log entries
• Fixed an issue that could occur with filter_bhe_findings_by_domain when domain SID or BloodHound environment_id were empty
• Fixed an edge case where a single contact on a client or project could be flagged as not the primary contact
• Fixed an issue that prevented report archives from being created
• Fixed the table caption "Set Bookmark" command in the editor being available when it should not be

Security

• Restored the HttpOnly flag to cookies
• Restricted collab-server inspector to localhost for development environments

Ghostwriter v6.3.0

Summary

This significant release includes support for a passive voice checking utility in the collaborative editor and a completely redesigned operation log experience (plus several new related features). It also includes binaries for Ghostwriter CLI v1.0.0. The intent is for v6.3.0 to mark a change from installs requiring a local copy of the Ghostwriter codebase to requiring only a copy of Ghostwriter CLI v1.0.0 or later.

For more information, review the CLI CHANGELOG. Read on for all the v6.3.0 details.

CHANGELOG

[6.3.0] - 10 April 2026

Added

• Operation Log Evidence Linking: Added support for linking evidence to individual operation log entries (Closes #132; Closes #831)

  • New OplogEntryEvidence model to create many-to-many relationships between log entries and evidence
  • New GraphQL linkOplogEvidence action to attach evidence via API
  • New web form (OplogEvidenceCreate view) to attach evidence through the UI
  • Evidence appears in a dedicated section within each log entry, with friendly names and direct links to the original evidence
  • Automatic "evidence" tag applied when evidence is linked to an entry

• Operation Log Terminal Recordings: Added support for uploading and playback of Asciinema terminal session recordings (.cast and .cast.gz files) (Closes #831)

  • New OplogEntryRecording model to store a single terminal recording per log entry
  • New GraphQL uploadOplogRecording action for base64-encoded file uploads via API
  • New GraphQL downloadOplogRecording action to retrieve recordings and metadata
  • New Django views for recording upload, deletion, and download with file serving and inline playback support
  • Support for Asciinema player integration for viewing recordings directly in the log entry's details pane
  • Automatic "recording" tag applied when a recording is uploaded

• Automatic Tag Management for Log Entry Features: Evidence linking and terminal recordings automatically apply and remove tags

  • evidence tag added when first evidence is linked, removed when the last evidence is unlinked
  • recording tag added when a recording is uploaded, removed when the recording is deleted
  • Tags can be used for filtering log entries and visual identification

• Passive Voice Detection: Added support for performing passive voice identification inside the collaborative editor (PR #796)

  • Ghostwriter now hosts a small local copy of the spaCy language model for text analysis
  • Select "Check Passive Voice" in the collaborative editor to examine text and highlight instances of passive voice
  • See the wiki for more details and an explanation for how to change the model's language

• Build a Narrative Outline from Log Entries: Construct an outline for a report narrative based on tagged log entries (Closes #863)

  • This is useful for quickly generating a narrative outline to kickstart a report draft
  • Added a button to the collaborative editor to insert a narrative outline based on activity logs
  • The action includes any log entries tagged with evidence or report
  • Extended the global report configuration to include a field for specifying additional tags
    • Includes support for partial tags—e.g., cred* will match creds or credentials.
  • Each line includes the start date and time (assumes UTC), tool used, target, and comments
  • The action also inserts evidence objects below each line for any evidence linked with that entry
  • Pairs nicely with Ghostwriter's external tools, mythic_sync and cobalt_sync
  • Big thanks to @C0KERNEL who created the initial PoC of this

Changed

• New User Interface for Operation Logs: Replaced the table view for operation logs with two pane interface (Closes #831)

  • New interface is similar to those used by many email clients
  • Log entries appear on the left-side with at-a-glance information
  • Details appear on the right-side in a details pane
  • Details pane includes dedicated sections for attaching evidence and uploading terminal recordings

• Text Evidence Previews: Text evidence now has previews in the collaborative editor like image evidence

• Pasting Images into Collaborative Editor: You can now paste an image file or screenshot in your clipboard into a collaborative editor field

  • The paste will automatically trigger the modal window for uploading your evidence
  • Your filename will be the default friendly name for the upload

• Updated Ghostwriter CLI Binaries: Updated the pre-built Ghostwriter CLI binaries to v1.0.0

  • Review the Ghostwriter CLI CHANGELOG for complete notes
  • Going forward, we recommend all users use the new published container images for easier updates
  • Existing installations will need to migrate some files
    • Copy the ssl/ directory to the ghostwriter/ directory inside your operating system's data file directory
    • Also copy any custom settings files from config/settings/production.d to ghostwriter/settings/
  • Ghostwriter CLI can be used with --mode local-prod to keep the old behavior of using a local copy of Ghostwriter's code
    • You will need to do this if you are using a customized version of the codebase

• Report names in the sidebar now also include the parent project's codename to aid in identification

Fixed

• Fixed an error that occurred in local development environments related to trying to connect to nginx (Closes #847)

Security

• As we allow more user-editable content to be rendered in the DOM, we have implemented stronger controls to prevent JavaScript injection
  • Updated the allowed HTML attributes to be more targeted
  • Added sanitization to activity log entries that support rich text (comments and description)
  • Added DOMPurify to the project for an extra layer of security and client-side sanitization

Ghostwriter v6.2.13

Summary

A small release to address two minor issues prior to v6.3.0.

CHANGELOG

[6.2.13] - 8 April 2026

Changed

• Adjusted substitution for .ref and .caption to be forgiving of extra spaces before/after the .
  • This resolves a potential syntax error when rendering a report that could be difficult to identify
• Adjusted font color of in-focus evidence preview objects for better contrast

Ghostwriter v6.2.12

Summary

CHANGELOG

[6.2.12] - 6 April 2026

Added

• Extra Field Ordering: Added a position field to extra fields to enable custom ordering

  • Admins can now set an order for their extra fields
  • Ordering impacts the display of extra fields in all locations

• Exposures Now Available for BHE Reporting: Added exposures to the domain data for BHE tenants

  • This is a new key in the domain data pulled from all BHE tenants
  • The key includes data like the domain's calculated exposure percentage

Ghostwriter v6.2.11

Summary

A small release to add ordering for project assignments to aid with reporting.

CHANGELOG

[6.2.11] - 2 April 2026

Added

• Ordering Based on Project Role Assignments: Added a position field to ProjectRole to order team members
  • Team members will now order by their role's position and then by their name
  • Admins can set the position for each role in the admin console
  • Ordering applies to the project dashboard and the ordering of the team in the report data

Ghostwriter v6.3.0-rc2

Summary

We've made the upcoming v6.3.0 even better with a significant redesign of the activity logging experience. We've also made other improvements based on user feedback.

CHANGLEOG

[6.3.0-rc2] - 25 March 2026

Added

• Passive Voice Detection: Added support for performing passive voice identification inside the collaborative editor

  • Ghostwriter now hosts a small local copy of the spaCy language model for text analysis
  • Select "Check Passive Voice" in the collaborative editor to examine text and highlight instances of passive voice
  • See the wiki for more details and an explanation for how to change the model's language

• Operation Log Evidence Linking: Added support for linking evidence to individual operation log entries (Closes #132)

  • New OplogEntryEvidence model to create many-to-many relationships between log entries and evidence
  • New GraphQL linkOplogEvidence action to attach evidence via API
  • New web form (OplogEvidenceCreate view) to attach evidence through the UI
  • Evidence appears in a dedicated section within each log entry, with friendly names and direct links to the original evidence
  • Automatic "evidence" tag applied when evidence is linked to an entry

• Operation Log Terminal Recordings: Added support for uploading and playback of Asciinema terminal session recordings (.cast and .cast.gz files)

  • New OplogEntryRecording model to store a single terminal recording per log entry
  • New GraphQL uploadOplogRecording action for base64-encoded file uploads via API
  • New GraphQL downloadOplogRecording action to retrieve recordings and metadata
  • New Django views for recording upload, deletion, and download with file serving and inline playback support
  • Support for Asciinema player integration for viewing recordings directly in the log entry's details pane
  • Automatic "recording" tag applied when a recording is uploaded

• Automatic Tag Management for Log Entry Features: Evidence linking and terminal recordings automatically apply and remove tags

  • evidence tag added when first evidence is linked, removed when the last evidence is unlinked
  • recording tag added when a recording is uploaded, removed when the recording is deleted
  • Tags can be used for filtering log entries and visual identification

Changed

• Ghostwriter CLI v1.0.0: Updated the pre-built Ghostwriter CLI binaries to v1.0.0

  • Review the Ghostwriter CLI CHANGELOG for complete notes
  • Going forward, we recommend all users use the new published container images for easier updates
  • Existing installations will need to migrate some files
    • Copy the ssl/ directory to the ghostwriter/ directory inside your operating system's data file directory
    • Also copy any custom settings files from config/settings/production.d to ghostwriter/settings/
  • Ghostwriter CLI can be used with --mode local-prod to keep the old behavior of using a local copy of Ghostwriter's code
    • You will need to do this if you are using a customized version of the codebase

• New User Interface for Operation Logs: Replaced the table view for operation logs with two pane interface (Closes #831)

  • New interface is similar to those used by many email clients
  • Log entries appear on the left-side with at-a-glance information
  • Details appear on the right-side in a details pane
  • Details pane includes dedicated sections for attaching evidence and uploading terminal recordings

• Text Evidence Previews: Text evidence now has previews in the collaborative editor like image evidence

• Pasting Images into Collab Editor: You can now paste an image file or screenshot in your clipboard into a collaborative editor field

  • The paste will automatically trigger the modal window for uploading your evidence
  • Your filename will be the default friendly name for the upload

Security

• As we allow more user-editable content to be rendered in the DOM, we have implemented stronger controls to prevent JavaScript injection
  • Updated the allowed HTML attributes to be more targeted
  • Added sanitization to activity log entries that support rich text (comments and description)
  • Added DOMPurify to the project for an extra layer of security and client-side sanitization

Ghostwriter v6.2.10

Summary

This release addresses some issues with the TinyMCE WYSIWYG editor.

CHANGELOG

[6.2.10] - 27 March 2026

Changed

• Updated TinyMCE to work better with Ghostwriter's dark mode using a new dark-mode skin

Fixed

• Fixed TinyMCE editors not initiating correctly for the "Results" field on objectives when adding new forms
• Fixed TinyMCE editors sometimes appearing with a very short height and needing to be resized