HardHat C2

A cross-platform, collaborative, Command & Control framework written in C#, designed for red teaming and ease of use.

Overview

HardHat is a multiplayer c# .NET-based command and control framework. Designed to aid in red team engagements and penetration testing. HardHat aims to improve the quality of life factors during engagements by providing an easy-to-use but still robust C2 framework. It contains three primary components, an ASP.NET teamserver, a blazor .NET client, and c# based implants.

Alpha Release

Features

HardHat contains many needed features for C2 operations.

Teamserver & Client

  • Per-operator accounts with account tiers to allow customized access control and features, including view-only guest modes, team-lead opsec approval(WIP), and admin accounts for general operation management.

  • Managers (Listeners)

  • Dynamic Payload Generation (Exe, Dll, shellcode, PowerShell command)

  • Creation & editing of C2 profiles on the fly in the client

  • Customization of payload generation

    • sleep time/jitter

    • kill date

    • working hours

    • type (Exe, Dll, Shellcode, ps command)

    • Included commands(WIP)

    • option to run confuser

  • File upload & Downloads

  • Graph View

  • File Browser GUI

  • Event Log

  • JSON logging for events & tasks

  • Loot tracking (Creds, downloads)

  • IOC tracing

  • Pivot proxies (SOCKS 4a, Port forwards)

  • Cred store

  • Autocomplete command history

  • Detailed help command

  • Interactive bash terminal command if the client is on linux or powershell on windows, this allows automatic parsing and logging of terminal commands like proxychains

  • Persistent database storage of teamserver items (User accounts, Managers, Engineers, Events, tasks, creds, downloads, uploads, etc. )

  • Recon Entity Tracking (track info about users/devices, random metadata as needed)

  • Shared files for some commands (see teamserver page for details)

  • tab-based interact window for command issuing

  • table-based output option for some commands like ls, ps, etc.

  • Auto parsing of output from seatbelt to create "recon entities" and fill entries to reference back to later easily

  • Dark and Light 🤮 theme

Engineers

  • c# .net framework implant for windows devices, currently only CLR/.NET 4 support

  • atm only one implant, but looking to add others

  • It can be generated as EXE, DLL, shellcode, or PowerShell stager

  • Rc4 encryption of payload memory & heap when sleeping (Exe / DLL only)

  • AES encryption of all network communication

  • ConfuserEx integration for obfuscation

  • HTTP, HTTPS, TCP, SMB communication

    • TCP & SMB can work P2P in a bind or reverse setups

  • Unique per implant key generated at compile time

  • multiple callback URI's depending on the C2 profile

  • P/Invoke & D/Invoke integration for windows API calls

  • SOCKS 4a support

  • Reverse Port Forward & Port Forwards

  • All commands run as async cancellable jobs

    • Option to run commands sync if desired

  • Inline assembly execution & inline shellcode execution

  • DLL Injection

  • Execute assembly & Mimikatz integration

    • Mimikatz is not built into the implant but is pushed when specific commands are issued

  • Various localhost & network enumeration tools

  • Token manipulation commands

    • Steal Token Mask

  • Lateral Movement Commands

    • Jump (psexec, wmi, wmi-ps, winrm, dcom)

    • Remote Execution (WIP)

  • AMSI & ETW Patching

  • Unmanaged Powershell

    • Script Store (can load multiple scripts at once if needed)

  • Spawn & Inject

    • Spawn-to is configurable

  • run, shell & execute

Architecture Screenshot

Last updated