Antisyphon KB

Logging

Nov 04, 20242 min read

APIServer Logs

The logs for an operation can be extracted from the Nighthawk API server using the script located at: APIServer/APIServer/logexporter.py

Note: if you are using a dockerized version of the nighthawk server (i.e. warhorse deployed) you will need to enter an interactive shell within the container to export data successfully. For example:

docker exec -it nighthawk /bin/bash

Once there,example command could be:

python2 logexporter.py 2021-607 json

CSV and JSON formats are supported.

Example CSV Log Output

TimeStamp,ClientId,MessageId,FriendlyName,ProtoMsgType,PayloadLength,ResultLength,Priority,Issuer,VerbatimCommand,Description,ConsoleInput,ConsoleOutput,Tags
2022-02-15 18:03:57.558234,25a56ec8-7fb0-9760-7fb0-2cc5e9671964,a4ed4f64-7372-4719-95f9-e2845a542b43,COMMANDO:vagrant:test.exe:3232,CPMT_GET_DETAILED_INFO,72,116,LOW,admin,,Requesting detailed agent info for 25a56ec8-7fb0-9760-7fb0-2cc5e9671964,,"Detailed agent info received OS: Windows 10, Tunnelled: False, Machine: COMMANDO, User: vagrant, Process: test.exe (PID: 3232), Arch: x64, Integrity: Medium, IPs: 100.91.85.3,127.0.0.1,169.254.227.78,172.19.6.173",
2022-02-15 18:03:58.238621,25a56ec8-7fb0-9760-7fb0-2cc5e9671964,c100957b-215b-4c5b-a4fc-9c5ad825a613,COMMANDO:vagrant:test.exe:3232,CPMT_GET_DETAILED_INFO,72,116,LOW,admin,,Requesting detailed agent info for 25a56ec8-7fb0-9760-7fb0-2cc5e9671964,,"Detailed agent info received OS: Windows 10, Tunnelled: False, Machine: COMMANDO, User: vagrant, Process: test.exe (PID: 3232), Arch: x64, Integrity: Medium, IPs: 100.91.85.3,127.0.0.1,169.254.227.78,172.19.6.173",
2022-02-15 18:07:39.079875,25a56ec8-7fb0-9760-7fb0-2cc5e9671964,50ea7e5f-9a7e-4fe1-a7b6-144343af66e1,COMMANDO:vagrant:test.exe:3232,CPMT_TERMINATE_PROCESS,76,,LOW,admin,,"Terminating agent OS: Windows 10, Tunnelled: False, Machine: COMMANDO, User: vagrant, Process: test.exe (PID: 3232), Arch: x64, Integrity: Medium, IPs: 100.91.85.3,127.0.0.1,169.254.227.78,172.19.6.173",,,

The output can be filtered by “FriendlyName” to exclude lab/test machines and only include client machines.

It is also recommended to filter out “CPMT_SOCKS_MSG” entries as they are just SOCKS proxy responses.

An example filter command is as follows:

cat 2021-880.csv| grep -v "DESKTOP-AC5N3KJ\|DESKTOP-4U9ASU1\|PFRY-DESKTOP\|CPMT_SOCKS_MSG" > bhis_client_nighthawklogs.csv

Client Logs

  • Good for getting clearer/narrower screenshots
cat console-1e0a2c2c-1266-dee7-cf1a-0c9aa21e3857.xml | sed -E 's#[[:space:]]*</?(console-entries|entry|console)[^>]*>##g' | sed -E 's/\&[lg]t;|!color=[0-9-]*!//g'

Graph View

Backlinks

  • No backlinks found