HardHatC2

Alpha 0.2 Update July 6, 2023

Change log and screenshots from the Alpha 0.2 update

Introduction

This document serves to capture and highlight the changes from the Alpha 0.2 update. It is a large update with around 15k additions and 5k deletions so some things might not get captured.

Change Log

  • Implant

    • Implants are now dynamic

      • commands and modules are selected at compile time, and new ones can be loaded into the implant during execution

    • Sleep Encryption & BOF execution are now optional modules

    • Added RunAs & GetSystem commands

    • Added BOF execution & in-memory PE execution commands

    • Added commands to load new commands & modules

    • Added command to view currently loaded commands

    • Added a token store and token store command

    • Decreased number of API calls made during shellcode execution and sleep encryption

    • Download command updated to properly chunk data

      • Currently set at 500 KB per sleep cycle, a 2000 KB file with a 5-second sleep cycle will take ~20 seconds to download.

    • All commands have been updated to work with the new dynamic loading system

    • When the sleep encryption module is loaded postEx sleep encryption will activate automatically

    • Remove all P/Invoke signatures (except the new ones for BOF & RPC) now using all D/Invoke

      • The remaining P/Invoke code will be replaced soon

    • Whoami command now properly prints group names

    • Updated default SpawnTo from calc.exe to notepad.exe

    • Added ping command

    • Added “/noDecoy” flag to InlineDLL to increase stability but skips module overloading

    • Updated command logic to stream back data as it is received per sleep cycle

    • Created DyanmicEngineerLoading DLL, which is packed during compile time

  • Team Server

    • Command read status is now tracked in the DB

    • Account roles to active connections is now tracked in the DB

    • Implant Tasking can now carry additional serialized objects between the client and team server at the time of tasking

    • Alongside the client file preview feature, the code handling file downloads has been cleaned up and improved

    • Code to handle BOF packing added

    • Added code to handle sending dynamic commands and modules to implants

    • Added new shellcode functions to help with "execute assembly"

    • Improved JSON serialization & deserialization

    • Added new objects to database tracking as required

  • Client

    • Commands that change user context (ex. Getsystem) now cause the UI to update, showing impersonation happened and updates the icons and notes as needed

    • Added table column for notes on implants

      • Notes can be added via the “options” dropdown on the implants page

    • Added a new tab to the Implants page to see previously compiled implants

      • This includes configured settings, included commands & modules, saved location, and download option

    • Added icon to implant table and implant interact tab to show the number of tasks that the operator has not opened the panel/read the response for yet

    • The unread tasks have markers to denote which ones they are

    • Added client-side UI element to allow viewing of some file types inside the C2

      • PDF, ZIP, and IMAGES formats

    • Added command aliases, input on the interact tab can now contain “$hh_AliasName” and so long as the name is correct, it will be replaced with its assigned value

      • This allows short-handing commands and command arguments

      • Aliases can be nested, so an alias may contain another alias so long as it is a valid entry in the alias table

    • Opsec enforcement has been activated

      • commands at a high level produce a prompt asking for a second confirmation

      • blocked opsec level prevents tasking

      • team lead approval setting sends a notification to the team lead to approve or deny tasking

    • Commands that create new implants (ex. Inject) will cause a dialog window to select the implant build options same as a normal creation

    • Tasks now have a copy button in the header of the expansion panel to easily copy command text (ex. whoami)

    • General UI improvements to support new features, cleanup layout, and improve use on different-sized screens

    • Added multiple methods of command entry on the interact page,

      • options can be changed via the settings

      • When not using the autocomplete, a search bar has been added to still easily find commands

    • Command history using the arrow keys has been updated and fixed

    • Implants can be added to the interact page now via a “+” icon at the top of the interaction page

    • Replaced xtabs with mudtabs on the interact page for easier closing and tracking

    • Improved JSON serialization & deserialization

    • Commands that send files to implants now have a “/local” flag that will read file content off of the client machine vs. the team server

    • JWTs are now checked for expiration and make the user log in again if expired

    • Updated implant creation to be a multi-step UI to present all the configuration options better

    • File browser UI can now be browsed by entering a file path in the top bar, similar to the Windows file browser

Details and Screenshots

BOF/COFF Execution

The Engineer implant can now execute BOF/COFF files in memory. This is achieved with the execute_bof command. The syntax is execute_bof /file value /function value /argtypes value /args value For the moment, the argument types need to be supplied alongside the arguments. There are plans to implement a feature like Sliver's BOF JSON files in the future. If you are not familiar with BOF argument types, I recommend checking out this blog by Trusted Sec.

In-Memory PE Execution

The Engineer implant can now execute PE files in memory. This is achieved with the execute_pe command syntax looks like execute_pe /file value /args value The PE is loaded into memory, and response data can be sent back as it is received if it is a long-running task. Like other long-running commands, this command can be canceled to prevent further execution. Like all other commands, it is async by default.

Note: If you want to supply just the filename versus a full path, the default search location is the teamserver\Programs\Users\ folder, if a matching file is found in this directory, it will be used.

Get System Command

Performs an elevation of the current process or execution of a command in the NT AUTHORITY\SYSTEM context. The command syntax is as follows getSystem /elevate /command value

Uses the EFS Potato technique currently with a static pipe name. More techniques and customization will come in the future.

Note: The command flag will be ignored if the elevation flag is present. Please supply one or the other.

Token Store

A token store was added to the Engineer implant. This allows for viewing of previous tokens and re-impersonation of those tokens. to view the tokens execute token_store /view otherwise, to use a token perform token_store /use token_id_number. The token store is a per-implant feature and cannot be shared between implants due to the nature of handles in Windows.

Send Back Data During Execution Improved

More commands now stream back data as execution happens. Streaming and command cancel logic has also been abstracted to a shared class to improve consistency across commands.

As before, this is shown by a green spinning circle icon. Clicking on the red X will prompt the user to send a cancel request.

Dynamic Implants

Step 1 Implant type selection: Currently, this menu only contains the Engineer implant, but as others are created in the future, this list will grow. It is intended to show the possible implants, and the selection would modify the following menu values and options.

Step 2 Command selection: the second step in implant creation involves the selection of the commands the operator wishes to be included at compile time. Commands not selected can always be pushed to the implant during the execution with the addcommand /command name syntax.

NOTE: The commands already present in the selected list (i.e., the right-hand menu) are currently required by the implant to function correctly or allow the loading of new commands and modules during execution. For this reason, they must be included, but they are a rather small portion of the 60+ available commands.

Step 3 Module Selection: Currently the Engineer implant supports two modules. The first is sleep encryption which was already present in the Engineer implant but is now optional and can be loaded later on to activate sleep encryption when desired. The second module is the BOF execution module this is required if the execute_bof command is selected.

Step 4 build options: This menu allows the operator to configure several important callback and configuration options before building the implant.

Manager: This is a dropdown of the currently created managers. This sets the C2 profile and the callback protocol, address, and port.

Callback Attempts: This is the number of attempts an implant will make before it exits when it cannot reach the desired callback location.

Sleep Timer: Time in seconds that the implant should start out sleeping for.

Kill date & Time: Date and Time that the implant should exit and stop operation. The time is in UTC. Often set to a few days after an operation is meant to end.

Compile Type: output format for the implant can be exe, dll, service exe, shellcode, or a PowerShell one-liner.

Step 5 Finalize options: This menu allows the operator a quick review of the selected options before the build request goes to the team server.

Compiled Implants Table

The new tab on the Implant/Engineer page contains a table that shows previously compiled implants. It shows the included commands/modules, the time and date of the compilation, and included configuration options. Also allows downloading the implant to the local client from the teamserver.

Implant Notes

Implants can now be given notes. These can be added via the options dropdown on the implants table. Notes are replicated to all operators.

UI Updates for Context Changes

When commands such as Get system are run, the implant's Icon, Username, and Note ate updated to reflect the new impersonation. When Rev2self is used, it reverts back to its original state.

Command Response Read Status Tracking

Implants now have an icon on the implant table on the integrity icon and on each interaction tab showing the number of commands that the operator has response data for but has not opened the response panel to review the content. This applies to any command sent to any implant so operators can track commands other users send to implants that they have not yet read. This allows for much easier tracking of which implants other operators are currently using, which of your long-running tasks have sent back data, and how much information you have left to read.

Preview Downloaded Files Inside The Client

Files downloaded off of target machines can now be previewed with the view button on the download page. This causes a dialog popup showing off the preview, and the file can be downloaded via the button in the upper right.

Currently, this supports

  • PDFs

  • Images

  • Zips

Custom displays for JSON, TXT, and converting Microsoft Office Docs to PDF are in progress.

Note: This does seem to fail on larger files currently.

Command Aliases

Aliases can be created to act as shorthands for command input on the interact page. They are created using the alias button found at the top of the interact tab. This opens a dialog allowing for the creation of an Alias. Aliases basically act as a 1:1 replacement for input on the interact tab. Aliases must be created with the prefix $hh_ this allows them to stand apart from environment variables the operator may want to pass as an argument to commands.

Aliases work even nested so you will see that $hh_rubeus_inline has a value of inlineassembly /file D:\My_Custom_Code\HardHatC2\TeamServer\Programs\Users\rubeus.exe and $hh_rubeus_inline_klist has a value of $hh_rubeus_inline /args klist.

Using this alias of $hh_rubeus_inline_klist , it will expand before any validation as inlineassembly /file D:\My_Custom_Code\HardHatC2\TeamServer\Programs\Users\rubeus.exe /args klist

then normal validation and tasking are performed. Aliases offer a great way to shorthand long or complicated commands and could be used to store password hashes, base64 Kerberos tickets, or whatever command and argument combo the operator desires.

Opsec Command Setting Enforcement

Team leads have the ability to set the opsec status of a command to one of the following values

  • Low

  • Medium

  • High

  • Requires Approval

  • Blocked

At high and above, some extra action is performed. At high, the client prompts for a second authorization by the executing user to ensure they want to the command.

Note: The Requires Approval implementation is currently bugged and does not produce the approval window.

When set to requires approval, the client will send a prompt to any active team leads to approve the command. This is intended for commands that the team leads are ok with being run in certain situations but would want to vet before execution.

When set to blocked the user will get a popup stating the team lead currently has this command blocked and the task will not be sent to the implant.

PostEx Implant Creation Menu

When commands that create a new implant are executed, a dialog containing the same options as normal implant creation is presented to customize the implant that will be used.

Currently, this includes

  • Jump

  • Inject

  • Spawn

When one of the commands is run, follow the build process, and the resulting implant will be used in the command. If Jump with psexec is used, the build type is overwritten to be a service exe regardless of selection.

New Command Entry Methods

The main addition to the list is a no autocomplete option. This changes the command entry box to a normal text box and adds a second search box underneath the command entry to easily still find the desired command and its flags. This can be set on the Settings page.

Add Implants for Interaction via Interact Page

Hitting the + icon on the interaction page loads a dialog containing checked-in implants that the user has not started interacting with. Selecting an implant in this popup will create an interaction tab for that implant and change the currently active interaction tab.

File Browser Supports Entering Location

On the file browser tab there is now an address bar that can be edited and when it is changed the currently selected implant will be before the ls command to update the file browser. This mimics entering a new address in the Windows file explorer.

Last updated