NightHawk Profile Notes
Injector Steps
The behavior of the agent is highly influenced by the “injector steps” that are defined in the profile. These are defined in the injector.methods JSON:
"injector": {
"methods": {
"ProcessCreate": "CreateProcessWinApi",
"ProcessOpen": "OpenProcessNative",
"AllocMemory": "VirtualAllocNative",
"WriteMemory": "WriteProcMemNative",
"ProtectMemory": "VirtualProtectNative",
"ThreadOpen": "GetRandomThreadNative",
"ExecuteMemory": "SetContextNative"
},These can also be changed on the fly with the set-injector-step command.
Crowdstrike
The following options have been tested and confirmed to be effective against CrowdStrike:
"ThreadOpen": "GetRandomThreadNative",
"ExecuteMemory": "SetContextNative"URIs
it is possible to specify hundreds of URIs in the c2-uri section, in a list like:
"c2-uri": "https://redacted.cloudfront.net/; https://foo.bar; https://www.foo.com/",Ralph has plans to implement this in his CDN automation for nighthawk in ansible. It will be possible to set a number of CDNs to deploy, all of which call back to the same backend teamserver. CDN auth is possible with both Azure and Amazon. This will make completely burning a C2 much more difficult, as each compromised endpoint will randomly call back to different CDNs, making it difficult to complete the list of CDNs to block.
Changing Profiles on the Fly
As long as an agent is still calling back, you can change the profile in use by the agent. Right click on an agent then select change profile, and a menu dialog will appear with the configured profiles.
This is a really nice feature of Nighthawk.
Agent/Server HTTP Behavior
Default HTTP Method verb is probably going to be “get” but can be changed. “commanddefaults” is what it says and specifies:
- default HTTP verb
- default headers (user-agent and Accept good here)
C2 commands are as follows:
- “status”
- “listcommands” (base64 decodes a response in headers or body)
- “getcommand” (base64 decodes a response in headers or body)
- “putresult” (base64 ENCODES result data)