Payloads

Attack -> Payload

General Settings

Agent: Payload agent chooser which allows you to choose between the default agent, known as "Demon", and any registered service agents. By default, only the "Demon" option is available, which serves as the default and primary agent within the Havoc Framework.

Listener: Specify the listener to which the payload should connect.

Arch: Chose architecture type of the payload.

Format: Chose beteween"Windows Exe", "Windows Dll", "Windows Shellcode", or "Windows Service Exe".

Runtime & In-memory Settings

- Sleep

Define in seconds how long the agent should pause after each tasking routine.

- Jitter

Percentage of variability applied to the agent's sleep time. Ex: 10% jitter and a sleep time of 60 seconds, the agent's sleep duration would range between 54 and 66 seconds.

- Indirect Syscalls

Chose if the agent should use indirect syscalls or not.

- Stack Duplication

Determines whether the agent should engage in stack duplication during sleep to obfuscate the stack of the agent thread. This option is only available and relevant when a specific sleep technique has been chosen, and therefore excludes the default WaitForSingleObjectEx.

- Sleep Technique:

Addresses whether the agent should implement sleep obfuscation to obscure its memory and delay execution during sleep. There are three available options:

Foliage --> Utilizes APC calls (NtQueueApcThread) in a chain to obfuscate the agent's memory during sleep.

Ekko --> Relies on timers API (RtlCreateTimer) to queue a chain of NtContinue calls, leading to memory obfuscation and delayed execution.

Zilean --> Leverages timers API (RtlRegisterWait) to queue a chain of NtContinue calls for memory obfuscation and execution delay.

- Proxy Loading

This feature enables the agent to proxy load specific modules that it needs to load and resolve. By default, the agent uses LdrLoadDll to load modules without proxying the function call. However, if any other option is selected, the agent will proxy the call to LoadLibraryW through the specified function. Available options for proxy functions include RtlRegisterWait, RtlCreateTimer, and RtlQueueWorkItem.

- Amsi/Etw Patch

This option guides the agent on how to handle patching or evading AMSI and ETW functions.

- Injection

Alloc: This setting informs the agent about how to allocate local or remote memory. The options are "Native/Syscall", which employs syscalls if selected before and NtAllocateVirtualMemory and "Win32", which employ VirtualAllocEx.

Execute: This option guides the agent on how to execute local or remote threads. The choices are, which employs syscalls if selected before and NtCreateThreadEx and "Win32", which employs CreateRemoteThread.

Spawn64: Specifies which x64 sacrificial process the agent should use when performing spawning and injecting into processes for post-exploitation modules.

Spawn86: Specifies which x86 sacrificial process the agent should use when performing spawning and injecting into processes for post-exploitation modules.