Havoc v0.6 releases: modern and malleable post-exploitation command and control framework

Features

Indirect Syscalls

When compiled with OBF_SYSCALL, Demon performs indirect syscalls for many Nt* APIs. By masquerading the RIP to point to a location within ntdll.dll, traps placed by EDR solutions (such as process instrumentation callbacks or other forms of syscall tracing)may be evaded.

The Syscall logic is primarily contained within /Teamserver/data/implants/Demon/Source/Core/Syscalls.c

Syscall stubs are dynamically crafted from ntdll.dll on disk and modified so the return address points to NtAddBootEntry (0x180024b6) within the ntdll.dll module.

Commands

Demon has a variety of commands built-in. It also supports the dynamic modification of configuration at runtime, allowing operators to customize defaults pre-set in the profiles throughout an engagement, without modifying the profile and re-generating a payload.

Full documentation on commands can be accessed from the Havoc client by typing help in the interact window. For more information on a particular command, simply tack it on the end of help like so: help [command]

checkin

Requests a checkin request from the Demon. This will output some basic system/configuration information to the Havoc client such as:

• Demon Metadata
  • Magic values
  • First/Last call in timestamps
  • AES Key and IV
  • Sleep Delay
• Host Information
  • Hostname
  • Username
  • Domain Name
  • Internal IP(s)
• Process Information
  • Name
  • Architecture
  • PID
  • Path
  • Elevated
• Operating System
  • Version
  • Build
  • Architecture

sleep

Demon supports sleeping at a specified delay (seconds) with a randomized jitter amount applied in the profile configuration settings.

sleep [delay]

When the Demon sleeps, it first checks if Sleep Masking is enabled in the profile configuration. If so, as long as there are no active job threads running, it will begin to apply the specified sleep obfuscation method and wait until the provided delay to “wake up” and check-in to the teamserver again.

During sleep, x64 demons may implement return address spoofing to hide the real return address.

job

Demon implements a multi-threaded job management system that allows the operator to manage long-running tasks.

OPSEC NOTE: Long-running jobs will PREVENT sleep obfuscation from occuring at the specified sleep interval due to the other threads running. Sleep obfuscation will only occur when there are no job threads in a running state.

• job list – Lists all running jobs.
• job suspend 1 – Suspends a job with the ID of 1
• job resume 1 – Resumes a job with the ID of 1
• job kill 1 – Kills a job with the ID of 1

proc

Process management and enumeration system.

proc [command]

• proc list – Display a list of running processes on the target.
• proc kill [pid] – Kills a process with the specified PID
• proc blockdll [on|off] – Blocks the loading of DLLs that aren’t signed by Microsoft using Process Mitigation Policies

token

Demon implements a token management vault that allows for token theft, impersonation, and privilege modification. All tokens are preserved within a token vault, allowing the operator to list and impersonate any stolen token when convenient.

Tokens are duplicated using SecurityIdentification and SecurityImpersonate privileges, allowing OpenThreadToken to work on impersonated UIDs with OpenAsSelf set to TRUE.

• token getuid – Prints the current user id from the token
• token list – List all stolen tokens in the token vault
• token steal [pid] – Steal the token from the specified PID and save it to the token vault
• token impersonate [id] – Impersonate a token from the token vault
• token make [domain] [username] [password] – Creates a token from the specified credentials and adds it to the vault
• token privs-get – Attempt to acquire all privileges from the current token
• token privs-list – List all privileges from the current token
• token revert – Reverts back to the default process token
• token remove [id] – Removes a token from the vault
• token clear – Removes all tokens from the vault.

shellcode

Demon is capable of injecting shellcode (supplied in raw format as a path) into remote processes using process injection or fork & run. Depending on the technique, operators can choose to use higher-level Win32 APIs or NT versions using indirect syscalls.

• shellcode inject x64 [pid] [path-to-raw-shellcode] – Injects shellcode into the remote process
• shellcode spawn x64 [path-to-raw-shellcode] – Launches the defined fork & run process and injects the shellcode

OPSEC NOTE: Depending on your injection technique and configuration settings, certain API calls may be performed outside of indirect syscalls.

Here is a high-level overview of each supported process injection technique:

* means the API call is performed with indirect syscalls

INJECTION_TECHNIQUE_SYSCALL

1. CreateProcessA
2. Allocate Memory
   • DX_MEM_WIN32 -> VirtualAllocEx
   • DX_MEM_SYSCALL -> NtAllocateVirtualMemory*
3. NtWriteVirtualMemory*
4. NtProtectVirtualMemory*
5. Create Thread
   • DX_THREAD_WIN32 -> CreateRemoteThread
   • DX_THREAD_SYSCALL -> NtCreateThreadEx*
6. NtResumeThread*

dotnet

• dotnet list-versions – Lists all of the installed dotnet versions
• dotnet inline-execute [path-to-assembly] [args] – Executes the dotnet assembly inside of the current process and returns an output

OPSEC NOTE: Calling inline-execute creates an instance of the CLR (Common Language Runtime) within the demon’s process to execute dotnet assemblies. This is an irreversible procedure and may provide more IoCs to defenders.

The inline-execute works by first creating an instance of the CLR (Common Language Runtime) within the current Demon process. After the CLR is created, amsi.dll is loaded and patched in-memory to bypass AMSI scanning. Demon then creates an AppDomain and loads the assembly into memory, finding the entry point and passing the commandline args supplied by the user before invoking the method. Output from the assembly is captured and returned to the teamserver.