Havoc's post-exploitation framework.
N2K logoFeb 17, 2023

Open-source C2 framework is surprisingly sophisticated.

Havoc's post-exploitation framework.

Zscaler describes a relatively new, open-source post-exploitation framework called “Havoc.”

Open-source post-exploitation framework.

Zscaler observed the Havoc framework being deployed against a government organization last month, and the security firm has published a detailed analysis of how the framework operates.

BleepingComputer says that “[a]mong its most interesting capabilities, Havoc is cross-platform and it bypasses Microsoft Defender on up-to-date Windows 11 devices using sleep obfuscation, return address stack spoofing, and indirect syscalls.”

It’s worth noting that, like Cobalt Strike and other similar tools, Havoc is intended to be used by penetration testers. Like most pentesting tools, however, it can be abused by threat actors.

Industry comment on Havoc, and C2 frameworks generally.

Matt Mullins, Senior Security Researcher at Cybrary, offered the following comments.:

“Command and Control (or C2) frameworks are nothing new to the threat actor community. For a long time, the FOSS (Free and Open-Source Software) community had a harder time keeping up with the features and functionality associated with premium paid tools like Cobalt Strike. This left learners, lower budget teams, and criminal groups with limited options around older frameworks like Empire, Metasploit, and some very basic custom tooling.

“This all changed around 2018, when it seems that C2 frameworks simply exploded in options. There were a number of very sophisticated tools that reached a fair degree of maturity (such as Sliver, Mythic, etc.) while older frameworks were forked and revisited (such as BC-Security's Empire fork) that gave a wonderful buffet of options to the aforementioned groups.

“As with most things in the industry, as these options became available, so did the options being implemented in threat actor TTPs. Outside of these robust options being made available, paid tooling was beginning to be leaked. Cobalt Strike has had its source code leaked a number of times now, along with other paid tools being shared and cracked. Cracked software is nothing new but what is interesting is the specific shift of criminal groups to target cracking of red team software, as well as red teams for licenses.

“With such a cornucopia of options available to criminals, the detections and patterns used to previously sink paid tools aren't nearly as effective. Take for consideration Cobalt Strike, it was already a big waste of money even back in 2018 because nearly every IR team, EDR tool, or any other defensive capability under the sun, has detection ruling built for a majority of its offerings. This means that it was only useful to advanced red teamers, or criminals, because of the amount of customization needed to get it to work. This brings me back to the original point, why would anybody waste their money or time on Cobalt Strike when they can just download Havoc and it "works" off of the shelf and bypasses detections? Criminals now no longer need to hunt for licenses or crack software, while red teams don’t need to pay absurd prices for tools that they have to know how to use and customize.

“The cat-and-mouse game of detection and innovation is about to accelerate in favor of the offensive side because of this blooming of C2s. Reflecting on the implementation of new tools like ChatGPT, along with other AI tools, and you now have more rapid generation of payloads, phishing emails, and other attacker-beneficial aspects. I can only surmise that we will see more breaches (and thus more potential undetected breaches) as a result of this increase in options and sophistication.”