Havoc is an open-source adversary simulation framework written in C and Go, released publicly in 2022 by @C5pider. It provides a Cobalt Strike-style operator console, a teamserver, and a cross-platform agent called the Demon. Within a year of release, threat intelligence reporting from Rapid7, Elastic, and Zscaler documented Havoc adoption by APT groups, ransomware affiliates, and financially motivated threat actors across real intrusions. The appeal is uncomplicated: it’s free, actively developed, and produced implants that signature-based tooling wasn’t initially tuned to detect.

This guide covers the Demon agent’s principal detection surfaces: named pipes, network beaconing, process injection, and PPID spoofing, with Sigma rules and KQL queries you can adapt for your environment.

Demon Agent Architecture

The Demon is Havoc’s primary implant. It supports HTTP, HTTPS, and SMB-over-named-pipe transports, with C2 profile configuration controlling request headers, user agents, URIs, and sleep intervals. Core capabilities include:

  • Process injection via CreateRemoteThread, NtCreateThreadEx, and shellcode injection
  • Parent process ID (PPID) spoofing to manipulate process ancestry
  • Token impersonation and privilege escalation
  • SMB named pipe pivoting for lateral movement
  • NTDLL unhooking to bypass user-mode EDR hooks
  • Post-exploitation modules for credential access, enumeration, and lateral movement staging

Detection is complicated by per-build configurable C2 profiles (custom headers, randomised URIs, tunable jitter) and the framework’s active update cycle. Signature-based approaches degrade quickly. Behavioural detection on stable indicators is the viable path.

Named Pipe Detection

Havoc uses named pipes for SMB transport and lateral movement pivoting. Default pipe name patterns include msagent_* prefixes, though operators can configure arbitrary names. The detection lever isn’t the pipe name but the creating process: pipes created by processes running from temp directories, AppData paths, or under unexpected parent processes are high-signal regardless of the name chosen.

Sysmon Event IDs 17 (pipe created) and 18 (pipe connected) are the required data source.

Sigma: Havoc Named Pipe Creation

title: Havoc C2 Named Pipe Creation
id: 7e2f4d81-3b9a-4c8e-b12f-d5e7a3c90f44
status: experimental
description: Detects named pipe creation patterns associated with the Havoc C2 Demon agent
logsource:
    category: pipe_created
    product: windows
detection:
    selection_pipe_pattern:
        PipeName|startswith:
            - '\msagent_'
    selection_suspicious_creator:
        Image|contains:
            - '\Temp\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '\ProgramData\'
    filter_chromium:
        Image|contains:
            - '\Google\Chrome\'
            - '\Microsoft\Edge\'
    condition: selection_pipe_pattern or (selection_suspicious_creator and not filter_chromium)
falsepositives:
    - Developer tools running from user profile directories
level: medium
tags:
    - attack.command_and_control
    - attack.t1071
    - attack.t1559.001

Pair pipe creation events with process creation (Sysmon Event 1) to get the full ancestry picture. A pipe created by a process whose parent chain includes injected shellcode is much higher confidence than the pipe name alone.

Network Beaconing Detection

Havoc’s HTTPS transport generates a TLS certificate on teamserver startup. The default certificate produces a JA3 server fingerprint that has been published in threat intelligence feeds and incorporated into commercial detection platforms. In environments with TLS inspection, this provides a strong detection point for default deployments. Operators aware of this rotate to custom certificates, so relying solely on JA3 is insufficient.

The fallback layer is beaconing cadence. Havoc’s default sleep is 2 seconds with 0% jitter, creating machine-regular inter-beacon intervals that legitimate business applications don’t produce. Look for:

  • Repeated connections to external infrastructure at intervals of 1 to 10 seconds with low variance
  • HTTP POST requests to the same external endpoint with consistent payload sizes over an extended window
  • Default user agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)

KQL: Suspicious Beacon Cadence (Microsoft Sentinel)

let suspectProcesses = dynamic(["chrome.exe", "msedge.exe", "firefox.exe", "outlook.exe", "teams.exe", "onedrive.exe"]);
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where RemoteIPType == "Public"
| where InitiatingProcessFileName !in (suspectProcesses)
| summarize
    ConnectionCount = count(),
    TimeSpanMinutes = datetime_diff('minute', max(Timestamp), min(Timestamp)),
    Ports = make_set(RemotePort),
    Processes = make_set(InitiatingProcessFileName)
    by DeviceId, DeviceName, RemoteIP, InitiatingProcessFolderPath, bin(Timestamp, 30m)
| where ConnectionCount >= 15
| where TimeSpanMinutes > 0
| extend ConnPerMinute = toreal(ConnectionCount) / toreal(TimeSpanMinutes)
| where ConnPerMinute >= 0.5
| where InitiatingProcessFolderPath !startswith "C:\\Program Files"
| where InitiatingProcessFolderPath !startswith "C:\\Windows"
| project DeviceName, RemoteIP, Ports, Processes, InitiatingProcessFolderPath, ConnectionCount, ConnPerMinute, TimeSpanMinutes
| sort by ConnPerMinute desc

This surfaces processes with regular, frequent external connections that originate from non-standard paths. Tune the ConnectionCount and ConnPerMinute thresholds based on your environment’s baseline.

Process Injection Detection

Havoc’s Demon agent performs process injection to run shellcode inside legitimate host processes, reducing its visible footprint in process lists. The most commonly observed technique across incident response cases is CreateRemoteThread-based injection targeting processes like svchost.exe, notepad.exe, and msiexec.exe.

Sigma: Remote Thread Injection from Suspicious Path

title: Havoc Demon Process Injection via CreateRemoteThread
id: 9c3a7f52-e8b1-4d9c-a23e-f4b6c8d01e55
status: experimental
description: Detects remote thread creation into common host processes from executables running in user-writable directories
logsource:
    category: create_remote_thread
    product: windows
detection:
    selection_target:
        TargetImage|endswith:
            - '\notepad.exe'
            - '\msiexec.exe'
            - '\werfault.exe'
            - '\regsvr32.exe'
            - '\wscript.exe'
            - '\cscript.exe'
    selection_source_path:
        SourceImage|contains:
            - '\Temp\'
            - '\AppData\Local\'
            - '\AppData\Roaming\'
            - '\ProgramData\'
            - '\Users\Public\'
    filter_legit:
        SourceImage|startswith:
            - 'C:\Windows\system32\'
            - 'C:\Program Files\Common Files\microsoft shared\'
    condition: selection_target and selection_source_path and not filter_legit
falsepositives:
    - Software installers executing from temp directories
    - Some AV products
level: high
tags:
    - attack.defense_evasion
    - attack.t1055.001
    - attack.t1055.003

For environments running Microsoft Defender for Endpoint, the equivalent KQL:

DeviceEvents
| where ActionType == "CreateRemoteThreadApiCall"
| where InitiatingProcessFolderPath has_any ("\\Temp\\", "\\AppData\\Local\\", "\\AppData\\Roaming\\", "\\ProgramData\\")
| where FileName in~ ("notepad.exe", "msiexec.exe", "werfault.exe", "regsvr32.exe", "wscript.exe")
| where InitiatingProcessFolderPath !startswith "C:\\Windows\\system32"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessFolderPath, FileName, InitiatingProcessCommandLine
| sort by Timestamp desc

PPID Spoofing Detection

Havoc supports parent process ID spoofing: the Demon agent spawns child processes that appear in the process tree with a legitimate parent (typically explorer.exe or svchost.exe) but were actually created by the injected agent. Detection requires correlating the reported parent PID with the process that actually held that PID at spawn time.

Sigma: Process Ancestry Mismatch

title: Suspicious Process Spawned with Spoofed Parent
id: 4b8e2c93-f71a-5d0e-c34b-a6d9e0f12b67
status: experimental
description: Detects processes reporting a legitimate parent process while originating from a different ancestry, indicative of PPID spoofing
logsource:
    category: process_creation
    product: windows
detection:
    selection_spoofed_parent:
        ParentImage|endswith: '\explorer.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\wscript.exe'
            - '\mshta.exe'
            - '\rundll32.exe'
    filter_expected_explorer_children:
        CurrentDirectory|startswith:
            - 'C:\Users\'
        Image|endswith: '\cmd.exe'
        CommandLine|contains: '/c'
    condition: selection_spoofed_parent and not filter_expected_explorer_children
falsepositives:
    - Some legitimate administrative tools
    - User-initiated command prompts from Explorer
level: medium
tags:
    - attack.defense_evasion
    - attack.t1134.004

MITRE ATT&CK Coverage Map

TechniqueIDPrimary Data Source
Web Protocols C2T1071.001Network/Proxy logs
Encrypted ChannelT1573.002TLS inspection, JA3
Process Injection: CreateRemoteThreadT1055.001Sysmon Event 8
Process Injection: Thread Execution HijackingT1055.003Sysmon Event 8
PPID SpoofingT1134.004Sysmon Event 1
Named Pipe IPCT1559.001Sysmon Event 17/18
Disable/Modify ToolsT1562.001Sysmon Event 7 (NTDLL load)
Token ImpersonationT1134.001Security Event 4624

Sysmon Requirements

Effective Havoc detection with the Sigma rules above requires Sysmon logging for:

  • Event ID 1: Process creation with command line and parent process data
  • Event ID 7: Image loaded (for monitoring NTDLL manipulation)
  • Event ID 8: CreateRemoteThread
  • Event ID 17/18: Pipe created and connected
  • Event ID 22: DNS query events

The SwiftOnSecurity Sysmon configuration baseline covers these event IDs with appropriate filtering to manage volume. For high-fidelity named pipe monitoring, add pipe event filtering rules to reduce noise from Chromium browser pipe activity.

References