# Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice

**[proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice](https://www.proofpoint.com/us/blog/threat-insight/nighthawk-and-coming-pentest-tool-likely-gain-threat-actor-notice)**

November 18, 2022


-----

[Blog](https://www.proofpoint.com/us/blog)
[Threat Insight](https://www.proofpoint.com/us/blog/threat-insight)
Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice


-----

November 22, 2022
Alexander Rausch and the Proofpoint Threat Research Team

## Key Takeaways

Nighthawk is an advanced C2 framework intended for red team operations through
commercial licensing.
Proofpoint researchers observed initial use of the framework in September 2022 by a
likely red team.
We have seen no indications at this time that leaked versions of Nighthawk are being
used by attributed threat actors in the wild.
The tool has a robust list of configurable evasion techniques that are referenced as
“opsec” functions throughout its code.
Proofpoint researchers expect Nighthawk will show up in threat actor campaigns as the
tool becomes more widely recognized or as threat actors search for new, more capable
tools to use against targets.

## Overview

In September 2022, Proofpoint researchers identified initial delivery of a penetration testing
[framework called Nighthawk. Launched in late 2021 by MDSec, Nighthawk is similar to other](https://www.mdsec.co.uk/nighthawk/)
frameworks such as [Brute Ratel and](https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/) [Cobalt Strike and, like those, could see rapid adoption](https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware)
by threat actors wanting to diversify their methods and add a relatively unknown framework
to their arsenal. This possibility, along with limited publicly available technical reporting on
Nighthawk, spurred Proofpoint researchers into a technical exploration of the tool and a
determination that sharing our findings would be in the best interest of the cybersecurity
community.

While this report touches on the activity observed in Proofpoint data, the primary focus is
Nighthawk’s packer and subsequent payload capabilities.

## Threat Actors <3 Red Teaming Tools


-----

Historically, threat actors have integrated legitimate tools into their arsenal for various
reasons, such as complicating attribution, leveraging specific features such as endpoint
detection evasion capabilities or simply due to ease of use, flexibility, and availability. In the
last few years, threat actors from cybercriminals to advanced persistent threat actors have
increasingly turned to red teaming tools to achieve their goals.

[Between 2019 and 2020, Proofpoint observed a 161% increase in threat actor use of Cobalt](https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware)
[Strike. This increase was quickly followed by the adoption of Sliver—an open-source, cross-](https://github.com/BishopFox/sliver/tree/6c02971b54831884d30407b632a379947dd289ad)
platform adversary simulation and red team platform. Sliver was first released in 2019 and by
December 2020 had been incorporated into threat actors’ tactics, techniques, and
procedures—a timeline which could possibly occur with Nighthawk in the future. By late
[2021, Proofpoint had identified an initial access facilitator for ransomware threat actors using](https://www.proofpoint.com/us/blog/security-briefs/ta551-uses-sliver-red-team-tool-new-activity)
[Sliver. And, as recently as summer 2022, other security researchers have noted a range of](https://www.microsoft.com/en-us/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/)
[threat actors of varying skills, resources, and motivations integrating it as well as Brute Ratel,](https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/)
another red teaming and adversarial attack simulation tool, into their campaigns.

## Testing, Testing…1…2…3

Proofpoint researchers observed initial use of the Nighthawk framework beginning in midSeptember 2022 with several test emails being sent using generic subjects such as “Just
checking in” and “Hope this works2.” Over the course of a few weeks, emails were sent with
malicious URLs, that, if clicked, would lead to an ISO file containing the Nighthawk loader
payload as a PE32+ executable file, which will be explored in the next section.

Proofpoint researchers were able to identify that the payload delivered was the Nighthawk
penetration testing framework based on open-source research, including MDSec’s [blog on](https://www.mdsec.co.uk/2022/05/nighthawk-0-2-catch-us-if-you-can/)
the latest version of the tool.

## The Loader

The Nighthawk loader artifact analyzed by Proofpoint researchers is a PE32+ binary that
uses some obfuscation and encryption methods to make analysis more difficult and
prolonged. The loader has the following structure (Figure 1) including a .uxgbxd section that
contains possibly decoy code and the .text section which contains the main event: the PE
entry point, the unpacking code, the configuration structure, and the encrypted Nighthawk
payload.


-----

_Figure 1. The structure of the Nighthawk PE32+ binary._

The PE entry point (Figure 2) within the .text section implements some control obfuscation by
calculating the offset for the main function. This is likely done in order to interfere with static
disassembly engines.

_Figure 2. PE entry point._

Initially, the loader code builds a small import table and parses a configuration structure that
specifies which evasion and keying method are to be used. Functions are dynamically
resolved through symbol hashing and manually parsing the export directory of loaded
[modules retrieved through the LDR_DATA_TABLE_ENTRY in the](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/2110%2021H2%20(November%202021%20Update)/_LDR_DATA_TABLE_ENTRY) [PEB. If a desired library is](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/2110%2021H2%20(November%202021%20Update)/_PEB_LDR_DATA)
not present in memory, it is either loaded using LoadLibraryW in a direct call or as a
dispatched job via RtlQueueWorkItem.


-----

_Figure 3. LoadLibrary implementation._

All meaningful strings are encoded with a simple algorithm and decoded on the fly. This
inline string decoding means that for only a brief period of time the strings are present in
memory. This creates an advantage for potential threat actors making detection of the tool
more difficult.


-----

_Figure 4. Loader string encoding._

Some functionality can use WinAPI or direct system calls depending on the corresponding
configuration option. This functionality can be used to evade some endpoint detection
systems and sandboxes that use usermode hooks for instrumentation.

The following code removes any potentially registered ProcessInstrumentationCallback
[which can be used to transparently instrument code. This code, if enabled, is directly](https://github.com/ionescu007/HookingNirvana/blob/master/Esoteric%20Hooks.pdf)
executed after the configuration parsing and import table setup phase.

_Figure 5. Clearing the ProcessInstrumentationCallback._

As another means of evading endpoint detection and response security solutions, the loader
code contains optional unhooking functionality for ntdll.dll, kernel32.dll and kernelbase.dll
that is intended to remove user mode hooks from system libraries.

After initialization, a key for decryption of the payload is derived from one of several system
features. Which method is selected to retrieve the payload decryption key is based on user
configuration.

Supported keying methods are:

content of a specified registry key
user SID retrieved from the process token
account domain SID retrieved with LsaQueryInformationPolicy
retrieval of the encryption key via DNS CNAME or TXT query
retrieval of the encryption key via HTTPS request
username, read with GetUserNameA
computer name, read with GetComputerNameA
reading the key from a specified file at a specified offset
retrieval of the encryption key via DNS over TLS via CNAME or TXT query
use of the system drive serial number that is read via
IOCTL_STORAGE_QUERY_PROPERTY IOCTL to //./PhysicalDrive0


-----

The presence of these keying methods is one of the clues that led Proofpoint researchers to
identify this malware as Nighthawk early on. This list matches the features described
in [MDSec’s blog – “Nighthawk 0.2 – Catch Us If You Can”.](https://www.mdsec.co.uk/2022/05/nighthawk-0-2-catch-us-if-you-can/)

After a key derivation from the result of the selected keying function, the payload embedded
in the .text section is decrypted and executed. The keying feature is engineered to minimize
exposure of the cleartext implant and to make it difficult to analyze the malware in a sandbox
or lab environment.

## The Nighthawk Payload

The Nighthawk payload, which is coded in C++, is embedded as a DLL with a small
shellcode prepended (Figure 6) that jumps with the correct offset into the reflective loader
code contained within the DLL.

_Figure 6. Prepended shellcode._

The DLL contains the following sections:

To hide suspicious API calls, Nighthawk uses dynamic API resolution through symbol
hashing as well (Figure 7). The correct module and function symbol is identified by checking
for a matching hash on the lowercase library name or symbol string.


-----

_Figure 7. Nighthawk string hashing function for dynamic API resolution._

This technique is standard tradecraft for malware developers and used in a comparable way
in many other malwares and frameworks such as Cobalt Strike.

Embedded strings are encoded with a simple substitution cipher. Single characters are
looked up in a ciphertext alphabet and replaced with the corresponding character in a
cleartext alphabet. If no match in the ciphertext alphabet is found, the character is not
substituted.

This string encoding is simple but effective in countering signature engines that feature
functionality to match XORed strings.

Reimplemented string decoding algorithm in Python below.

CIPHERTEXT_ALPHABET = ")]9ufjt.,AgU$cwTFzMdxHa!I>hl[ 6QEBmok&;4r?
07G:s^N{qe_P(+b1S8=X/5DvWKiV*<O}-ZnpJ3yYL2RC"

CLEARTEXT_ALPHABET = ",lDvbd<)!asg>.B-GNoK&9P$;6c3O_hFHJqQm4r0y]wtk:
{(8xX^EjT?Cen}+z=/5SIViu2*ZY[pURW1f L7MA"

def decode_string(encoded):

d = []

for c in encoded:

if c in CIPHERTEXT_ALPHABET:

d.append(CLEARTEXT_ALPHABET[CIPHERTEXT_ALPHABET.find(c)])

else:

d.append(c)

return "".join(d)

Nighthawk loads a configuration profile from the .profile section after some initial setup work.


-----

The embedded profile itself is a gzip compressed and AES encrypted JSON object where
the string type fields are encoded with the substitution cipher described above. The 128bit
AES key is either prepended to the encrypted configuration profile or retrieved via HTTPS or
DNS.

_Figure 8. Encrypted profile configuration._

_Figure 9. Decrypted and decompressed profile configuration._


-----

_Figure 10. Partial Nighthawk configuration profile with additional string decoding._

## Nighthawk Evasion

Nighthawk features an extensive list of configurable evasion techniques that are referenced
as “opsec” functions throughout its code. These techniques are important because they
include capabilities that prevent certain endpoint detection notifications and evade process
memory scans.

Proofpoint researchers identified the numerous following evasion options that can be
specified in the opsec section of the configuration profile. Some of these capabilities are
[explained in MDSec’s blog while others have not been sufficiently publicly documented. It is](https://www.mdsec.co.uk/2022/05/nighthawk-0-2-catch-us-if-you-can/)
on the latter capabilities where we have focused our analysis—details of which can be found
after this table.


**Opsec**
**Configuration**
**Option**


**Functionality**


use-syscalls Use direct system calls instead of WinApi where applicable.


indirectsyscalls

unhooksyscalls


Use indirect system calls by setting up system call arguments and calling
a syscall instruction in ntdll instead of a syscall instruction inside the
Nighthawk code.

Remove hooks from ntdll.dll


-----

self-encryptmode

self-encryptafter

report-selfencrypt-status

self-encryptwhile-listening

stomp-peheader

masqueradethread-stacks

encrypt-heapmode

clear-veh-onunhook

clear-veh-onimp-res

clear-hwbpon-unhook


Valid options are:

off

stub
no-stub-rop
no-stub-timer
no-stub-regwait

The exact functionality is unknown at the time of writing.

The exact functionality is unknown at the time of writing.

The exact functionality is unknown at the time of writing.

Overwrites the DOS header magic value, the space between the DOS
and PE header, the PE magic and section names.

This option overwrites the stack of threads during hibernation.

Encrypts the heap when the implant hibernates.

Valid options are:

off

implant
implant+zero

This option temporarily sets a dummy exception handler by patching the
LdrpVectorHandlerList during import resolution.

This option temporarily sets a dummy exception handler by patching the
LdrpVectorHandlerList during import resolution.

This option clears all hardware breakpoints via NtSetContextThread
during the usermode hook removal process.


-----

clear-hwbpon-imp-res

clear-dllnotifications

usethreadpool

backingmodule


This option clears all hardware breakpoints via NtSetContextThread
during API resolution.

This setting clears the list of DLL loading notification callbacks registered
with LdrRegisterDllNotification.

Use RtlQueueWorkItem to dispatch tasks to a thread pool.

The exact functionality is unknown at the time of writing.


unhook-dlls Remove usermode hooks from the list of specified DLLs.

block-dlls Block the specified DLLs from being loaded by hooking LoadLibraryExW.

use-hwbp-for Use hardware breakpoints to implement hooking for the specified
features.

Valid options are:

implant+zero
inproc-console
block-dlls
patch-etw-event
patch-etw-control
patch-amsi


unhook-usingwpm

unhook-vianative

unhook-clearguard


Overwrite hooks using WriteProcessMemory.

Overwrite hooks using NtProtectVirtualMemory and memmove (intrinsic).

Clear the PAGE_GUARD permission from inaccessible memory and set
the permissions for PAGE_NO_ACCESS memory to
PAGE_EXECUTE_READ.


hide-windows Hide GUI Windows of the Nighthawk process using EnumWindows and
ShowWindow.


-----

sleep-mode Selects a sleep mechanism.

Valid options are:

sleep: SleepEx
delay: NtDelayExecution
wait-single: NtWaitForSingleObject
wait-multi: NtWaitForMultipleObjects
wait-signal: CreateEventW and NtSignalAndWaitForSingleObject


disable-picallback

patch-etwevent

patch-etwcontrol


Disable process instrumentation callbacks by using
NtSetInformationProcess to set the ProcessInstrumentationCallback
information class.

Hook NtTraceEvent.

Hook NtTraceControl.


patch-amsi Hook AmsiScanBuffer.


threadpoolloadlibrary

thread-startaddresses


Use RtlQueueWorkItem to dispatch calls to LoadLibraryW for library
loading.

The exact functionality is unknown at the time of writing.


**DLL load notification removal (unhook-dlls): Nighthawk implements a technique that can**
prevent endpoint detection products from receiving notifications for newly loaded DLLs in the
current process context via callbacks that were registered with LdrRegisterDllNotification.
This technique is enabled by the clear-dll-notifications option.

The intended way to unregister a DLL load notification callback is to use
LdrUnregisterDllNotification; however, this requires a cookie value that is returned by the
initial LdrRegisterDllNotification.Nighthawk works around this by directly modifying the list of
structures that store callbacks for a given process.


-----

_Figure 11. Reversed nh_opsec_unregister_dll_load_notifications function._

Of particular interest is the technique used to find the head of the LdrpDllNotificationList
(Figure 12).


-----

_Figure 12. Reversed nh_get_LdrpDllNotificationList function._

The head of LdrpDllNotificationList is in the .data section of ntdll.dll and the cookie value
returned by LdrRegisterDllNotification is a pointer to a list entry in LdrpDllNotificationList.

Thus, walking this list leads to a list entry located inside the ntdll.dll .data section and this list
entry is the head of LdrpDllNotificationList. This implementation is much more stable than
other implementations that rely on disassembling code referencing LdrpDllNotificationList in
ntdll.dll.


-----

**Disabling process instrumentation callback (disable-pi-callback): Nighthawk disables**
this callback by setting an empty callback using NtSetInformationProcess similar to the
implementation used in the loader.

_Figure 13. Reversed nh_disable_process_instrumentation_callback function._

**Self-encryption (self-encryption-mode):** [Modern](https://www.cobaltstrike.com/blog/sleep-mask-update-in-cobalt-strike-4-5/) [C2 frameworks often implement self-](https://bruteratel.com/tabs/badger/commands/sleep/)
encryption capabilities to evade process memory scans.Nighthawk implements several
variants of self-encryption methods that can be configured with the self-encrypt-mode option.

The advanced, more interesting options are no-stub-rop, no-stub-timer, and no-stub-regwait.

All these options are implemented without any resident code but rather use a ROP chain or
callbacks to directly call into the APIs used to encrypt, sleep, and finally decrypt the implant
by proxy through NtContinue. When this code is executed, all other threads are already
suspended and have a spoofed stack depending on the configuration of the masqueradethread-stacks option.

[The no-stub implementations generally use SystemFunction040/RtlEncryptMemory and](https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-rtlencryptmemory)
[SystemFunction041/RtlDecryptMemory to implement the encryption and decryption](https://learn.microsoft.com/en-us/windows/win32/api/ntsecapi/nf-ntsecapi-rtldecryptmemory)
functionality. [NtContinue is used as a “super gadget” to invoke these APIs with the correct](http://undocumented.ntinternals.net/index.html?page=UserMode%2FUndocumented%20Functions%2FNT%20Objects%2FThread%2FNtContinue.html)
set of parameters. NtWaitForSingleObject, RegisterWaitForSingleObject, and
CreateQueueTimer are used to implement a sleep primitive for the three options respectively


-----

All of these methods are sophisticated and relatively hard to detect but the most eyecatching implementation is the no-stub-rop option. This self-encryption method uses return
oriented programming to implement the encryption logic by constructing a ROP chain
consisting of the following two code gadgets (note: gadgets are dynamically discovered by
[iterating modules present in the PEB InLoadOrderModuleList) and the NtContinue “super](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/2110%2021H2%20(November%202021%20Update)/_PEB_LDR_DATA)
gadget”:

Increment the stack pointer

add rsp, value > 0x28

ret

Get the pointer to the [CONTEXT structure for NtContinue from the stack](https://www.vergiliusproject.com/kernels/x64/Windows%2010%20%7C%202016/2110%2021H2%20(November%202021%20Update)/_CONTEXT)

pop rcx

ret
By using these building blocks a ROP chain is constructed that calls VirtualProtect to set the
memory of the loaded Nighthawk implant read writable,
SystemFunction040/RtlEncryptMemory to encrypt the implant, WaitForSingleObject to sleep,
and SystemFunction041/RtlDecryptMemory to decrypt the implant again followed by
VirtualProtect to set the memory permissions to read write executable. These functions are
invoked through NtContinue with the arguments provided through the CONTEXT structure
parameter.

Figure 14 illustrates the concept.


-----

_Figure 14. Illustration of the no-stub-rop self-encryption method._

## Outlook

Nighthawk is a mature and advanced commercial C2 framework for lawful red team
operations that is specifically built for detection evasion, and it does this well. While
Proofpoint researchers are not aware of adoption of Nighthawk in the wild by attributed threat
actors, it would be incorrect and dangerous to assume that this tool will never be
appropriated by threat actors with a variety of intents and purposes. Historic adoption of tools
like Brute Ratel by advanced adversaries, including those aligned with state interests and
engaging in espionage, provides a template for possible future threat landscape
developments. Detection vendors in particular should ensure proper coverage of this tool as
cracked versions of effective and flexible post-exploitation frameworks can show up in the
dark corners of the internet when either threat actors are looking for a novel tool or the tool
has reached a certain prevalence.


-----

_Proofpoint researchers will continue to analyze the Nighthawk framework and monitor for_
_threat actor campaigns leveraging the tool. An update to this blog or a follow-up report will be_
_published depending on additional findings._

Subscribe to the Proofpoint Blog


-----