Karma-X Blog

Indicator of Protection: Bringing Order to Chaos and Disrupting HAVOC C2
Indicator of Protection: Bringing Order to Chaos and Disrupting HAVOC C2

Indicator of Protection: Bringing Order to Chaos and Disrupting HAVOC C2

Feb. 3, 2024 | Categories: Research

Sorry Havoc C2, better luck next time!

⚔️ ADVANCED C2 FRAMEWORK

Havoc C2

"Havoc is a modern, malleable post-exploitation command and control framework made for penetration testers, red teams, and blue teams."
→ Visit Havoc C2 Framework

📚 Background

We came across this blog post yesterday claiming to defeat EDR's. We've heard a lot of this recently.

📖 Evading EDR: The Definitive Guide to Defeating Endpoint Detection Systems

🎯 The Bold Claim

Havoc C2 with AV/EDR Bypass Methods in 2024 (Part 1)

Claims to bypass AV/EDR with advanced evasion techniques

🎖️ To be totally fair to Sam Rothlisberger, who I believe is also a U.S. Army Officer (Thank you for your service!), Sam doesn't have access to Karma-X as Sam and the U.S. Army hasn't purchased it, yet.

🔬 Let's Put It to the Test

Curiosity killed the cat, so let's just try this new "advanced EDR evasion" against Karma-X

Important Context: Karma-X has Yara and what not but that's not what we are relying on here, especially because Sam is specifically relying on different techniques to avoid signatures such as trying over and over again to evade detection against Windows Defender.

This is exactly the point of this blog of ours: Monopolies Fail in Cybersecurity: The Case for Small, Specialized, and Agile Platforms

🎬 The Demo

1

Setup the Attack Infrastructure

We load up a TeamServer, add a listener, and launch a client:

Havoc TeamServer Setup Havoc Client
2

Generate the "Advanced" Payload

We generate demon.x64.bin with the exact same details from the blog with all the fancy AMSI and EDR evasions.

Havoc Payload Generation

⚙️ Testing Assumptions:

In the interest of just getting down to it, we are just going to use a harness to see if any of this "advanced stealthy malware" can get past our defenses. Specifically, we just want to let it do its work.

There are a million and one ways to attempt to get your code loaded stealthily: encoders, packers, etc. Let's just assume they get its "arbitrary code" working. Karma has a test harness for that.

3

Execute the Attack

Ok, let's just load Havoc C2 into a Karma protected process. (no tricks, just execute the code)

Execute Havoc Code

⏳ The Moment of Truth

Will the "advanced EDR evasion" work against Karma-X?

❌ BLOCKED

Whoops, attack not worky.

Karma-X Detection

🛡️ Protection Delivered

Even with all the fancy AMSI bypasses, EDR evasion techniques, and stealthy methods, Karma-X stopped the attack cold.

This is what true protection looks like.

Indicator of Protection ✓

🚀 Get Protected Today

Get Indicators of Protection for your systems today!

Access Vitamin-K Here!

(after signing up and logging in)

document
Easy Install

From small business to enterprise, Karma-X installs simply and immediately adds peace of mind

shop
Integration Ready

Karma-X doesn't interfere with other software, only malware and exploits, due to its unique design.

time-alarm
Reduce Risk

Whether adversary nation or criminal actors, Karma-X significantly reduces exploitation risk of any organization

office
Updated Regularly

Update to deploy new defensive techniques to suit your organization's needs as they are offered

box-3d-50

Deploy
Karma-X

Get Karma-X!
💬 Ask our AI Assistant Kali