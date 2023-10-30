NightHawk, MDSec’s commercial C2 product, has focused on operational security and detection avoidance since its initial release in December 2021. While the core functionality of the framework has been effective within the scope of these objectives, our team noticed certain features were missing as we started incorporating NightHawk into our engagements alongside our other C2 options. Most notably, there was no equivalent in NightHawk to Cobalt Strike’s Aggressor scripting platform, severely limiting automation capabilities. While I know how big of fans we all are of the Sleep programming language, Aggressor’s functionality was invaluable in our team’s operations, streamlining complex multi-command actions and automating commands to run upon initial beacon check-in.

To address these gaps in automation I built DayBird, an automation package that extends the NightHawk operator UI to provide scripting functionality similar to Aggressor, as well as providing capabilities to automate the execution of code on initial beacon check-in. The best part of it all — DayBird plugins (the equivalent of Aggressor scripts) are entirely written in C#, so you can load plugin projects into Visual Studio, add the reference DLL, and quickly generate a set of steps to automate complex workflows. Plugins can also retrieve results of prior commands, allowing for logic to be implemented that can take appropriate actions based on previous information returned. For example, a plugin could automatically decide on what persistence mechanism to deploy based on the results of the ps command (showing which EDRs may be active on the system) or based on the integrity of the current session.

Due to NightHawk being a closed-source product sold by an independent vendor, we initially chose not to publicly release DayBird. However, earlier this year, we shared the source code with MDSec to explore the possibility of implementing these features or their equivalents in future product releases. With regular inquiries about automation arising in the NightHawk Slack community and version 0.3 scheduled for release sometime next year, complete with a new operator UI, we decided it would be prudent to release this tooling to the public now. This will serve as a bridge until an official operations automation solution is incorporated in the product.