Bypass MS Defender with Havoc C2 + Zerodetection
Juni 2, 2024 - Lesezeit: 3 Minuten

In this blog post, we'll explore how to use the C2 framework Havoc and the Zerodetection toolset to create implants that remain undetectable by AV, EPP, EDR, and XDR systems.

Havoc C2 is a modern Command and Control (C2) framework designed for post-exploitation activities. It was programmed by the talented coder C5pider and is used by security professionals to simulate advanced persistent threats (APTs) and test the resilience of networks against sophisticated cyber attacks. Havoc C2 provides a robust infrastructure for managing compromised hosts, delivering payloads, and executing commands remotely. Its modular architecture allows for the integration of custom payloads and exploits, making it a versatile tool for red teaming and penetration testing. With features like encrypted communications, multi-platform support, and a user-friendly interface, Havoc C2 helps security teams evaluate and improve their defensive strategies against real-world adversaries.

First, we'll begin by launching Havoc. To do this, we start the team server and connect using the Havoc client.

Next, we open the payload generator and create an agent.

We generate an agent using the Ekko sleep technique and choose the format "Windows Shellcode."

We open up the "Implant Builder," choose our generated payload, and select a template.

We transfer our newly generated implant to the target machine and execute it.

The machine should now be visible in Havoc.

Everything is working smoothly and without any interruptions from the antivirus.

Havoc is a remarkable C2 framework developed by the talented coder C5pider. Its generated agents are highly effective out of the box and can even bypass AV products like MS Defender without requiring any adjustments. When combined with various bypass techniques provided by Zerodetection, it forms a potent combination capable of evading even the most sophisticated endpoint security systems.

In this example, we're leveraging the Havoc Framework to generate an agent using the Ekko sleep technique. This agent will then be integrated into a loader created using Zerodetection's "Implant Builder." The loader is crafted with the Fiber template, which utilizes fiber techniques to bypass AV/EPP/EDR/XDR systems. Additionally, the shellcode is encrypted using a custom XOR encryption for added security.

Search

About us

We are on a mission to assist Red Teams and Pentesters in fulfilling their security tasks with the best tools available. We specialize in offensive cybersecurity research, constantly staying abreast of the latest techniques and procedures. Our dedicated research team ensures that we are at the forefront of advancements, guaranteeing our clients state-of-the-art offensive techniques. Our toolkit is developed with ethics and the greater good in mind.

Navigation

Static Pages