Pen testing
C2
Havoc is an open-source C2 framework by C5pider. It allows to build agents in multiple formats: Windows PE executables, PE DLLs and shellcode. Its modular design allows to customize payloads for multiple purposes, making it a swiss army knife for ops.
Havoc is very modular, you can load and execute multiple plugins and commands for specific tasks. This flexibility allows the adaptation of the framework to different environments and purposes, making it more effective in post-exploitation.
Evasion
The framework has advanced evasion techniques like indirect system calls and sleep obfuscation to bypass AV and EDR. These make it hard for traditional security tools to detect and block Havoc.
Protocols
Havoc uses encrypted channels (HTTPS and SMB) to communicate with the command server from compromised systems. This encrypted traffic hides the malicious activity from network monitoring tools.
Havoc is still in development, the functionality is evolving and you can create custom agents and plugins for different attack scenarios. The variants may differ based on the plugins and configuration used by the attacker.
Perform threat hunting and continuous network monitoring to detect anomalies.
Deploy EDR to detect and block suspicious activity.
Perform regular penetration testing and vulnerability assessment to find and fix security weaknesses.
Keep all software and systems updated with the latest security patches to reduce the attack surface.
Havoc targets enterprises with valuable IP or critical infrastructure. It's a threat to any sector depending on the attacker's purpose.
The operators are unknown, but Havoc is used in targeted attacks, probably by APT groups or sophisticated cybercriminals to use its features for evil.
