Havoc is a new and highly anticipated post-exploitation and C2 framework developed by C5pider which has been in development for some time, having developed a bit of a following in the leadup to release just a couple days ago. That said, it’s very much early days and heaps of features are missing or in development.
Some stand-out features from this release of Havoc:
- Multiplayer Teamserver
- Payload generation via the client GUI
- Customisable C2 profiles with external C2 support
- A python API for the agent, which gives us lots of modularity and customisation possibilities
- Lots of features in the agent out of the box
Let’s get stuck in and create a team server. Profiles can be created and managed with a simple configuration file. In my configuration file, I’ve configured my HTTPS listener to reflect my VM’s host-only NIC and created a user for myself.
We can see the server has started successfully:
Now we need to jump into the client. We’re greeted with a very Cobalt-Strike like login prompt: (C5 admitted himself he lifted it straight from C2. But if it ain’t broke, why fix it?)
Once we’re in, there’ a few things to look at.
In the bottom, we’ve got a Team chat to communicate with other operators. On the right-hand side is the event viewer, a running log of what’s happening on the server. On the left, is our graph. Once we drop our implants on a couple endpoints, we’ll see this section get populated. Speaking of implants, let’s generate some agents and talk about the ‘Demon’ agent.
Demon supports a surprisingly large amount of post-exploitation commands, most of which are familiar to those who’ve used Meterpreter and CS in the past.
We’re even able to generate our payload in the GUI itself:
Let’s deploy Demon on some endpoints and see what it does. For this test, I’ll be running SentinelOne and Crowdstrike on various different machines as a comparison point. Both have been set to detect only with remediation disabled. I’m using the wonderful Clong DetectionLab project to generate this lab (blog upcoming). We’ll serve our totally non-suspicious binary to our hosts and run it as admin for the sake of demonstration.
It’s worth pointing out at this stage that both Crowdstrike and SentinelOne detected the malware:
After a bit of trial and error, I used one of the malleable C2 profiles provided by BT-SECURITY to populate a custom URI and header in the HTTPS payload configuration. We’ve now got our first endpoint!
So what now? We can interact with the host and do all of our classic C2 pivoting and post-exploitation tasks, open up a shell, and get loot.
Overall, I really like Havoc and the potential this application has is really exciting. Looking forward to using it a bit more in the future once development is further along.
Here are some of the MITRE TTPs I’ve pulled from executing various versions of the Demon payload:
Execution: T1059, T1203 (Shellcode Execution)
Defense Evasion: T1562.001 (Shellcode Evasion, Syscall from a modified library)
