{"description": "Enterprise techniques used by Havoc, ATT&CK software S1229 (v1.1)", "name": "Havoc (S1229)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "[Havoc](https://attack.mitre.org/software/S1229) has a module capable of token impersonation.(Citation: Havoc Framework Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087", "comment": "[Havoc](https://attack.mitre.org/software/S1229) can identify privileged user accounts on infected systems.(Citation: Fortinet Havoc MAR 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Havoc](https://attack.mitre.org/software/S1229) can use HTTP/S listeners to establish and maintain C2 communications. (Citation: Havoc Framework Documentation)(Citation: Zscaler Havoc FEB 2023)(Citation: Fortinet Havoc MAR 2025)(Citation: Immersive Labs Havoc C2 APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[Havoc](https://attack.mitre.org/software/S1229) can use an SMB listener for C2 communication.(Citation: Havoc Framework Documentation)(Citation: Zscaler Havoc FEB 2023)(Citation: Immersive Labs Havoc C2 APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Havoc](https://attack.mitre.org/software/S1229) can facilitate the execution of PowerShell commands.(Citation: Immersive Labs Havoc C2 APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Havoc](https://attack.mitre.org/software/S1229) can execute commands via `cmd.exe`.(Citation: Havoc Framework Documentation)(Citation: Immersive Labs Havoc C2 APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Havoc](https://attack.mitre.org/software/S1229) can download files from the victim's computer.(Citation: Havoc Framework Documentation)(Citation: Immersive Labs Havoc C2 APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Havoc](https://attack.mitre.org/software/S1229) can send an AES encrypted check-in request to the C2 server.(Citation: Zscaler Havoc FEB 2023)(Citation: Fortinet Havoc MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "The [Havoc](https://attack.mitre.org/software/S1229) interface can display a file explorer view of the compromised host.(Citation: Havoc Framework Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Havoc](https://attack.mitre.org/software/S1229) has leveraged legitimate executables to side-load malicious payloads.(Citation: Check Point Wirte NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Havoc](https://attack.mitre.org/software/S1229) has the ability to upload files to infected systems.(Citation: Havoc Framework Documentation)(Citation: Immersive Labs Havoc C2 APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "comment": "The [Havoc](https://attack.mitre.org/software/S1229) SMB demon can use named pipes for communication through a parent demon.(Citation: Havoc Framework Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "[Havoc](https://attack.mitre.org/software/S1229) has the ability to copy files from one location to another.(Citation: Havoc Framework Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Havoc](https://attack.mitre.org/software/S1229) can use `NtAllocateVirtualMemory` and `NtCreateThreadEx` to aid process injection.(Citation: Havoc Framework Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[Havoc](https://attack.mitre.org/software/S1229) has utilized XOR encryption with the key \u201c01-01-1900\u201d to obfuscate command strings.(Citation: Check Point Wirte NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Havoc](https://attack.mitre.org/software/S1229) has been distributed through ClickFix phishing campaigns.(Citation: Fortinet Havoc MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Havoc](https://attack.mitre.org/software/S1229) can enumerate processes on targeted hosts.(Citation: Havoc Framework Documentation)(Citation: Zscaler Havoc FEB 2023)(Citation: Fortinet Havoc MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Havoc](https://attack.mitre.org/software/S1229) has DLL spawn and injection modules.(Citation: Havoc Framework Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.002", "comment": "[Havoc](https://attack.mitre.org/software/S1229) has itself injected into `C:\\\\Windows\\\\System32\\\\Werfault.exe` on targeted systems.(Citation: Havoc Framework Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "[Havoc](https://attack.mitre.org/software/S1229) has the ability to route HTTP/S communications through designated proxies.(Citation: Havoc Framework Documentation)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "[Havoc](https://attack.mitre.org/software/S1229) features a module capable of host enumeration.(Citation: Havoc Framework Documentation)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Havoc](https://attack.mitre.org/software/S1229) can capture screenshots.(Citation: Havoc Framework Documentation)(Citation: Zscaler Havoc FEB 2023)(Citation: Immersive Labs Havoc C2 APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Havoc](https://attack.mitre.org/software/S1229) can gather system information including hostname, domain, and OS details.(Citation: Fortinet Havoc MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Havoc](https://attack.mitre.org/software/S1229) has a module for network enumeration including determining IP addresses.(Citation: Havoc Framework Documentation)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1016.001", "comment": "The [Havoc](https://attack.mitre.org/software/S1229) demon can check for a connection to the C2 server from the target machine.(Citation: Zscaler Havoc FEB 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "[Havoc](https://attack.mitre.org/software/S1229) can trigger exection of `whoami` on the target host to display the current user.(Citation: Zscaler Havoc FEB 2023)(Citation: Fortinet Havoc MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Havoc](https://attack.mitre.org/software/S1229) has been executed by victims through the use of targeted lures and crafted decoy documents.(Citation: Check Point Wirte NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.004", "comment": "The [Havoc](https://attack.mitre.org/software/S1229) infection chain has been initiated via ClickFix lures in phishing emails.(Citation: Fortinet Havoc MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "The [Havoc](https://attack.mitre.org/software/S1229) demon agent can be set to sleep for a specified time.(Citation: Havoc Framework Documentation)(Citation: Zscaler Havoc FEB 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Havoc", "color": "#66b1ff"}]}