Nighthawk#

InfraGuard parses Nighthawk’s listener JSON to extract HTTP routes and implant metadata configuration.

Config#

domains:
  telemetry.example.com:
    upstream: "${NIGHTHAWK_UPSTREAM}"
    profile_path: "profiles/nighthawk-listener.json"
    profile_type: "nighthawk"

    drop_action:
      type: "redirect"
      target: "https://telemetry.example.com"

See config/examples/c2-nighthawk.yaml.

Profile JSON Format#

InfraGuard reads Nighthawk’s listener configuration JSON. Fields extracted:

  • listener.http.routes[].uri — URI patterns per route
  • listener.http.routes[].method — HTTP method per route
  • listener.http.routes[].headers — required headers
  • implant.metadata.location — message location (header/body/URI)
pipeline:
  filter_mode: "strict"
  block_score_threshold: 0.5
  enable_profile_filter: true
  enable_replay_filter: true
  replay_persist: true
  enable_sandbox_filter: true
  enable_enumeration_filter: true
  enumeration_unique_path_threshold: 3

Nighthawk engagements warrant strict settings — any profile mismatch should hard-block.

Backward Havoc PoshC2 Forward