Karma-X Blog

Havoc C2 describes itself on its website: "Havoc is a modern, malleable post-exploitation command and control framework made for penetration testers, red teams, and blue teams." Havoc C2 Framework

Background

We came across this blog post yesterday claiming to defeat EDR's. We've heard a lot of this recently. Evading EDR Book

This is the blog post: Havoc C2 with AV/EDR Bypass Methods in 2024 (Part 1)

To be totally fair to Sam Rothlisberger, who I believe is also a U.S. Army Officer (Thank you for your service!), Sam doesn't have access to Karma-X as Sam and the U.S. Army hasn't purchased it, yet.

Demo

Curiousity killed the cat, so let's just try this new advanced EDR evasion thing against Karma-X. Karma-X has Yara and what not but that's not what we are relying on here, especially because Sam is especially relying on different techniques to avoid signatures such as trying over and over again to evade detection against Windows Defender. This is exactly the point of this blog of ours about why you shouldn't rely on Microsoft Defender: Monopolies Fail in Cybersecurity: The Case for Small, Specialized, and Agile Platforms

To get to it:

1) We load up a TeamServer, add a listener, launch a client:

2) We generate demon.x64.bin with the exact same details from the blog with all the fancy AMSI and EDR evasions.

In the interest of just getting down to it, we are just going to use a harness to see if any of this "advanced stealthy malware" can get passed our defenses. Specifically, we just want to let it do its work. There are a million and one ways to attempt to get your code loaded stealthfully, encoders, packers, etc. Let's just assume they get its "arbitrary code" working. Karma has a test harness for that.

Ok, let's just load Havoc C2 into a Karma protected process. (no tricks, just execute the code)

Whoops, attack not worky.

Contact Us

Get Indicators of Protection for your systems today! You can start for free by accessing Vitamin-K here! (after signing up and logging in)