Havoc is an open-source adversary simulation framework written in C and Go, released publicly in 2022 by @C5pider. It provides a Cobalt Strike-style operator console, a teamserver, and a cross-platform agent called the Demon. Within a year of release, threat intelligence reporting from Rapid7, Elastic, and Zscaler documented Havoc adoption by APT groups, ransomware affiliates, and financially motivated threat actors across real intrusions. The appeal is uncomplicated: it’s free, actively developed, and produced implants that signature-based tooling wasn’t initially tuned to detect.
This guide covers the Demon agent’s principal detection surfaces: named pipes, network beaconing, process injection, and PPID spoofing, with Sigma rules and KQL queries you can adapt for your environment.
Demon Agent Architecture
The Demon is Havoc’s primary implant. It supports HTTP, HTTPS, and SMB-over-named-pipe transports, with C2 profile configuration controlling request headers, user agents, URIs, and sleep intervals. Core capabilities include:
- Process injection via CreateRemoteThread, NtCreateThreadEx, and shellcode injection
- Parent process ID (PPID) spoofing to manipulate process ancestry
- Token impersonation and privilege escalation
- SMB named pipe pivoting for lateral movement
- NTDLL unhooking to bypass user-mode EDR hooks
- Post-exploitation modules for credential access, enumeration, and lateral movement staging
Detection is complicated by per-build configurable C2 profiles (custom headers, randomised URIs, tunable jitter) and the framework’s active update cycle. Signature-based approaches degrade quickly. Behavioural detection on stable indicators is the viable path.
Named Pipe Detection
Havoc uses named pipes for SMB transport and lateral movement pivoting. Default pipe name patterns include msagent_* prefixes, though operators can configure arbitrary names. The detection lever isn’t the pipe name but the creating process: pipes created by processes running from temp directories, AppData paths, or under unexpected parent processes are high-signal regardless of the name chosen.
Sysmon Event IDs 17 (pipe created) and 18 (pipe connected) are the required data source.
Sigma: Havoc Named Pipe Creation
title: Havoc C2 Named Pipe Creation
id: 7e2f4d81-3b9a-4c8e-b12f-d5e7a3c90f44
status: experimental
description: Detects named pipe creation patterns associated with the Havoc C2 Demon agent
logsource:
category: pipe_created
product: windows
detection:
selection_pipe_pattern:
PipeName|startswith:
- '\msagent_'
selection_suspicious_creator:
Image|contains:
- '\Temp\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\ProgramData\'
filter_chromium:
Image|contains:
- '\Google\Chrome\'
- '\Microsoft\Edge\'
condition: selection_pipe_pattern or (selection_suspicious_creator and not filter_chromium)
falsepositives:
- Developer tools running from user profile directories
level: medium
tags:
- attack.command_and_control
- attack.t1071
- attack.t1559.001
Pair pipe creation events with process creation (Sysmon Event 1) to get the full ancestry picture. A pipe created by a process whose parent chain includes injected shellcode is much higher confidence than the pipe name alone.
Network Beaconing Detection
Havoc’s HTTPS transport generates a TLS certificate on teamserver startup. The default certificate produces a JA3 server fingerprint that has been published in threat intelligence feeds and incorporated into commercial detection platforms. In environments with TLS inspection, this provides a strong detection point for default deployments. Operators aware of this rotate to custom certificates, so relying solely on JA3 is insufficient.
The fallback layer is beaconing cadence. Havoc’s default sleep is 2 seconds with 0% jitter, creating machine-regular inter-beacon intervals that legitimate business applications don’t produce. Look for:
- Repeated connections to external infrastructure at intervals of 1 to 10 seconds with low variance
- HTTP POST requests to the same external endpoint with consistent payload sizes over an extended window
- Default user agent:
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
KQL: Suspicious Beacon Cadence (Microsoft Sentinel)
let suspectProcesses = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "outlook.exe", "teams.exe", "onedrive.exe"]);
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in (suspectProcesses)
| summarize
ConnectionCount = count(),
TimeSpanMinutes = datetime_diff('minute', max(Timestamp), min(Timestamp)),
Ports = make_set(RemotePort),
Processes = make_set(InitiatingProcessFileName)
by DeviceId, DeviceName, RemoteIP, InitiatingProcessFolderPath, bin(Timestamp, 30m)
| where ConnectionCount >= 15
| where TimeSpanMinutes > 0
| extend ConnPerMinute = toreal(ConnectionCount) / toreal(TimeSpanMinutes)
| where ConnPerMinute >= 0.5
| where InitiatingProcessFolderPath !startswith "C:\\Program Files"
| where InitiatingProcessFolderPath !startswith "C:\\Windows"
| project DeviceName, RemoteIP, Ports, Processes, InitiatingProcessFolderPath, ConnectionCount, ConnPerMinute, TimeSpanMinutes
| sort by ConnPerMinute desc
This surfaces processes with regular, frequent external connections that originate from non-standard paths. Tune the ConnectionCount and ConnPerMinute thresholds based on your environment’s baseline.
Process Injection Detection
Havoc’s Demon agent performs process injection to run shellcode inside legitimate host processes, reducing its visible footprint in process lists. The most commonly observed technique across incident response cases is CreateRemoteThread-based injection targeting processes like svchost.exe, notepad.exe, and msiexec.exe.
Sigma: Remote Thread Injection from Suspicious Path
title: Havoc Demon Process Injection via CreateRemoteThread
id: 9c3a7f52-e8b1-4d9c-a23e-f4b6c8d01e55
status: experimental
description: Detects remote thread creation into common host processes from executables running in user-writable directories
logsource:
category: create_remote_thread
product: windows
detection:
selection_target:
TargetImage|endswith:
- '\notepad.exe'
- '\msiexec.exe'
- '\werfault.exe'
- '\regsvr32.exe'
- '\wscript.exe'
- '\cscript.exe'
selection_source_path:
SourceImage|contains:
- '\Temp\'
- '\AppData\Local\'
- '\AppData\Roaming\'
- '\ProgramData\'
- '\Users\Public\'
filter_legit:
SourceImage|startswith:
- 'C:\Windows\system32\'
- 'C:\Program Files\Common Files\microsoft shared\'
condition: selection_target and selection_source_path and not filter_legit
falsepositives:
- Software installers executing from temp directories
- Some AV products
level: high
tags:
- attack.defense_evasion
- attack.t1055.001
- attack.t1055.003
For environments running Microsoft Defender for Endpoint, the equivalent KQL:
DeviceEvents
| where ActionType == "CreateRemoteThreadApiCall"
| where InitiatingProcessFolderPath has_any ("\\Temp\\", "\\AppData\\Local\\", "\\AppData\\Roaming\\", "\\ProgramData\\")
| where FileName in~ ("notepad.exe", "msiexec.exe", "werfault.exe", "regsvr32.exe", "wscript.exe")
| where InitiatingProcessFolderPath !startswith "C:\\Windows\\system32"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, FileName, InitiatingProcessCommandLine
| sort by Timestamp desc
PPID Spoofing Detection
Havoc supports parent process ID spoofing: the Demon agent spawns child processes that appear in the process tree with a legitimate parent (typically explorer.exe or svchost.exe) but were actually created by the injected agent. Detection requires correlating the reported parent PID with the process that actually held that PID at spawn time.
Sigma: Process Ancestry Mismatch
title: Suspicious Process Spawned with Spoofed Parent
id: 4b8e2c93-f71a-5d0e-c34b-a6d9e0f12b67
status: experimental
description: Detects processes reporting a legitimate parent process while originating from a different ancestry, indicative of PPID spoofing
logsource:
category: process_creation
product: windows
detection:
selection_spoofed_parent:
ParentImage|endswith: '\explorer.exe'
Image|endswith:
- '\cmd.exe'
- '\powershell.exe'
- '\wscript.exe'
- '\mshta.exe'
- '\rundll32.exe'
filter_expected_explorer_children:
CurrentDirectory|startswith:
- 'C:\Users\'
Image|endswith: '\cmd.exe'
CommandLine|contains: '/c'
condition: selection_spoofed_parent and not filter_expected_explorer_children
falsepositives:
- Some legitimate administrative tools
- User-initiated command prompts from Explorer
level: medium
tags:
- attack.defense_evasion
- attack.t1134.004
MITRE ATT&CK Coverage Map
| Technique | ID | Primary Data Source |
|---|---|---|
| Web Protocols C2 | T1071.001 | Network/Proxy logs |
| Encrypted Channel | T1573.002 | TLS inspection, JA3 |
| Process Injection: CreateRemoteThread | T1055.001 | Sysmon Event 8 |
| Process Injection: Thread Execution Hijacking | T1055.003 | Sysmon Event 8 |
| PPID Spoofing | T1134.004 | Sysmon Event 1 |
| Named Pipe IPC | T1559.001 | Sysmon Event 17/18 |
| Disable/Modify Tools | T1562.001 | Sysmon Event 7 (NTDLL load) |
| Token Impersonation | T1134.001 | Security Event 4624 |
Sysmon Requirements
Effective Havoc detection with the Sigma rules above requires Sysmon logging for:
- Event ID 1: Process creation with command line and parent process data
- Event ID 7: Image loaded (for monitoring NTDLL manipulation)
- Event ID 8: CreateRemoteThread
- Event ID 17/18: Pipe created and connected
- Event ID 22: DNS query events
The SwiftOnSecurity Sysmon configuration baseline covers these event IDs with appropriate filtering to manage volume. For high-fidelity named pipe monitoring, add pipe event filtering rules to reduce noise from Chromium browser pipe activity.