Antisyphon KB

NightHawk Framework

Nov 04, 20244 min read

NightHawk Framework

Overview

NightHawk is a C2 framework that has been acquired from MDSEC in the UK. We own exactly six licenses which traditionally are on a per-user basis. Since we are a consultancy, per-user licensing does not work well and thus MDSEC has agreed that we can use up to six instances in parallel for a per-engagement model. BHIS must carefully honor this agreement.

Important: NightHawk is brand new, expensive, and is deployed to limited high end financials and consultancies like ours. Almost 100% of the value is the strength of the implant.

The biggest strength and high value proposition for NightHawk is the behavior of the C2 implant itself. Under API server JSON based configuration control, the implant artifact can be highly customized for evasion of sophisticated EDR based defenses. Customization includes features like:

  • direct kernel system calls for process injection
  • configurable DLL unhooking
  • process injector API call chain customization
  • heap encryption on sleep periods
  • in-process AMSI and ETW patching
  • custom DLL load blocking (such as AMSI.dll for example)

In short, what NightHawk enables is a high probability of post artifact deployment opsec safety. Core Nighthawk components include:

  • .NET based UI.exe for operator use (run on Windows or with Mono under Linux)
  • Python2 based API server for C2 infrastructure deployment
  • .NET based DeployTool.exe used to deploy new JSON based profiles to the API server

Deploying NightHawk

The software is distributed as a ZIP file from MDSEC. Since it is relatively early in development, I have created a git repository that contains an easy to use install script. To initially get up and running, I recommend the following steps:

  1. Create a Digital Ocean system using the generic Debian snapshot.
  2. Download the software by visiting https://git.nopsled.me/Joff.Thyer/NightHawkDeploy and downloading a ZIP file.
  3. Copy the ZIP file to your Digital Ocean system then unzip in root home directory. You may want to rename the …-master.zip to just NightHawkDeploy.zip.
  4. Set directory into NightHawkDeploy and execute the shell script:
    root@nhtest:~/# mv NightHawkDeploy-master.zip NightHawkDeploy.zip
    root@nhtest:~/# unzip NightHawkDeploy.zip
    root@nhtest:~/# cd /root/NightHawkDeploy
    root@nhtest:~/NightHawkDeploy#  ./nhinstall.sh
  1. The user interface is known as UI.exe and is contained in the NightHawk/UI/Release/bin directory. You should copy this entire UI directory structure to a Windows system or if using mono to a Linux system where you expect to be running the UI.

NightHawk Profiles

Nighthawk profiles are JSON based files which define the C2 listener that will be created when you deploy the profile. Detailed information about the meaning of the extensive profile configuration language is to be found in the Nighthawk Documentation directory in the file Profile.md. For convenience, I am including this markdown document linked from here however it is subject to change as MDSEC develops the product further. Please read NightHawk Profiles for information from MDSEC.

Deploying a profile

Deploying profiles in NH is done using the DeployTool.exe binary included in the DeployTool\bin directory that comes in the main nighthawk zip file.

For example: .\DeployTool.exe localhost 8888 admin:password --deploy=C:\users\user\desktop\cloudfront-crowdstrike.json --instance=cloudfront

!! note that the “cert” section used for SSL configuration is finicky about formatting. you must use the following format for the cert:

					"cert": {
						"cert": "-----BEGIN CERTIFICATE-----\nMIIGGzCCBAOgAwIBAgIUQKFt7Duv8bP84A0BPCjRH5HlZRMwDQYJKoZIhvcNAQEL\n...\nW4iV+aRkcBley0t7CkedCenyGE4NpBWrK21o99B6kw==\n-----END CERTIFICATE-----",
						"key": "-----BEGIN PRIVATE KEY-----\nMIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQCoa1I95ibf8qkz\n...\nG4DDUBr+ghrx+9UBazaWbi8VmA2d\n-----END PRIVATE KEY-----"
					}

this includes the literal \n characters, so use your editor of choice to replace the actual newlines with the \n then wrap that in quotes.

NH Beacon Commands within UI

The UI is somewhat like Cobalt Strike only written in .NET. It is a little flaky right now, and does not tolerate network connections being interrupted very well. As a general rule, if you are having any trouble, as a first step close and restart the UI process.

Once you have a beacon up and running, here are some commands you should be aware of:

  • alias | create a new command alias
  • exec | execute a specific executable on target
  • shell | perform a shell command using %COMSPEC% (normally cmd.exe)
  • sleep | change sleep interval
  • ls | directory listing
  • upload
  • download
  • inproc-execute-assembly | execute a .NET assembly within a specific process or new process

Graph View

Backlinks

  • No backlinks found