S1229: Havoc
Havoc is an open-source post-exploitation command and control (C2) framework first released on GitHub in October 2022 by C5pider (Paul Ungur), who continues to maintain and develop it with community contributors. Havoc provides a wide range of offensive security capabilities and has been adopted by multiple threat actors to establish and maintain control over compromised systems.
Analyst context for executives and security teams
Havoc matters because it is an open-source post-exploitation command-and-control framework with broad offensive capabilities and documented adoption by multiple threat actors. For leaders, the key issue is not the tool name alone; it is whether the organization can detect and respond to the behaviors commonly associated with a modern C2 framework across Windows, Linux, and macOS endpoints.
Executive priority
Treat Havoc as a coverage-validation case for post-compromise resilience. Executives should ask whether SOC, endpoint, network, and incident response teams can prove visibility into discovery, command execution, tool transfer, proxying, screen capture, local data collection, and Windows injection or token impersonation behaviors. Because ATT&CK lists WIRTE as using Havoc, threat intelligence and regional/business exposure reviews may be relevant, but local risk should be based on the organization’s sector, geography, and telemetry.
Technical view
ATT&CK does not provide a dedicated detection analytic for Havoc, so defenders should validate behavior-based coverage from the relationships. Priority validation areas include command execution via PowerShell and Windows Command Shell, native API use, process and account discovery, file and directory discovery, system and network discovery, web/file-transfer C2 protocols, proxy behavior, ingress tool transfer, screen capture, local data access, command obfuscation, and Windows-specific DLL/PE injection and token impersonation. Coverage should be tested across the listed platforms: Linux, macOS, and Windows.
Likely telemetry
- Endpoint process creation and command-line telemetry, including PowerShell and cmd activity on Windows
- Script execution logs and PowerShell logging where enabled
- Endpoint detection telemetry for process injection, native API behavior, token impersonation, and unusual child-process patterns
- Network telemetry for HTTP/S or other web protocol C2-like traffic, file-transfer protocol use, and proxy or traffic redirection patterns
- File system telemetry for local data access, file and directory enumeration, and newly transferred tools
Detection direction
- Build detections around clustered post-exploitation behavior rather than the Havoc name alone, since the supplied ATT&CK object has no official detection text.
- Correlate discovery commands, command interpreters, network beaconing or web/file-transfer communications, and tool transfer from the same host or user context.
- Tune for legitimate administrator activity: discovery commands, PowerShell, file transfer, and proxy use can be normal, so detections should incorporate asset role, user role, timing, parent process, and destination reputation where available.
- Validate Windows-specific visibility for DLL injection, PE injection, and token impersonation; these are common blind spots if endpoint telemetry lacks memory/process-access detail.
- Confirm Linux and macOS monitoring is not materially weaker than Windows coverage, because the object lists all three platforms.
Mitigation priorities
- Prioritize least privilege and administrative access controls to reduce the value of token impersonation, discovery, and command execution after compromise.
- Harden and monitor scripting and command interpreters, especially PowerShell and Windows Command Shell, while preserving legitimate administrative workflows.
- Restrict and monitor unauthorized file transfer paths, proxy use, and outbound web/file-transfer communications from endpoints and servers.
- Ensure endpoint controls can observe and block or alert on process injection, suspicious native API usage, and unusual tool staging where supported.
- Improve user-execution defenses for malicious files and copy-paste social engineering through policy, awareness, and technical controls.
Analyst notes and limits
The supplied ATT&CK data identifies Havoc as an open-source post-exploitation C2 framework first released on GitHub in October 2022 and maintained by C5pider with contributors. ATT&CK states it has been adopted by multiple threat actors and includes a relationship showing WIRTE uses it. The strongest defensive value comes from mapping the listed techniques to existing SOC telemetry and response playbooks.
No official ATT&CK detection text, aliases, labels, or malware-specific tactics were supplied. The relationship list provides behavioral context, but it does not prove activity in any specific environment. Local logs, EDR coverage, network architecture, identity controls, and business exposure are required to determine actual risk and detection coverage.
Havoc
Havoc is an open-source post-exploitation command and control (C2) framework first released on GitHub in October 2022 by C5pider (Paul Ungur), who continues to maintain and develop it with community contributors. Havoc provides a wide range of offensive security capabilities and has been adopted by multiple threat actors to establish and maintain control over compromised systems.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | Havoc can trigger exection of `whoami` on the target host to display the current user.CitationZscaler Havoc FEB 2023CitationFortinet Havoc MAR 2025 |
| Enterprise | T1090 | Proxy | Havoc has the ability to route HTTP/S communications through designated proxies.CitationHavoc Framework Documentation |
| Enterprise | T1559 | Inter-Process Communication | The Havoc SMB demon can use named pipes for communication through a parent demon.CitationHavoc Framework Documentation |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Havoc can send an AES encrypted check-in request to the C2 server.CitationZscaler Havoc FEB 2023CitationFortinet Havoc MAR 2025 |
| Enterprise | T1204.004 | Malicious Copy and Paste Sub-technique | The Havoc infection chain has been initiated via ClickFix lures in phishing emails.CitationFortinet Havoc MAR 2025 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Havoc can execute commands via `cmd.exe`.CitationHavoc Framework DocumentationCitationImmersive Labs Havoc C2 APR 2024 |
| Enterprise | T1113 | Screen Capture | Havoc can capture screenshots.CitationHavoc Framework DocumentationCitationZscaler Havoc FEB 2023CitationImmersive Labs Havoc C2 APR 2024 |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | Havoc has a module capable of token impersonation.CitationHavoc Framework Documentation |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Havoc can use HTTP/S listeners to establish and maintain C2 communications. CitationHavoc Framework DocumentationCitationZscaler Havoc FEB 2023CitationFortinet Havoc MAR 2025CitationImmersive Labs Havoc C2 APR 2024 |
| Enterprise | T1082 | System Information Discovery | Havoc can gather system information including hostname, domain, and OS details.CitationFortinet Havoc MAR 2025 |
| Enterprise | T1057 | Process Discovery | Havoc can enumerate processes on targeted hosts.CitationHavoc Framework DocumentationCitationZscaler Havoc FEB 2023CitationFortinet Havoc MAR 2025 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Havoc can facilitate the execution of PowerShell commands.CitationImmersive Labs Havoc C2 APR 2024 |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | Havoc has itself injected into `C:\\Windows\\System32\\Werfault.exe` on targeted systems.CitationHavoc Framework Documentation |
| Enterprise | T1105 | Ingress Tool Transfer | Havoc has the ability to upload files to infected systems.CitationHavoc Framework DocumentationCitationImmersive Labs Havoc C2 APR 2024 |
| Enterprise | T1083 | File and Directory Discovery | The Havoc interface can display a file explorer view of the compromised host.CitationHavoc Framework Documentation |
| Enterprise | T1574.001 | DLL Sub-technique | Havoc has leveraged legitimate executables to side-load malicious payloads.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1570 | Lateral Tool Transfer | Havoc has the ability to copy files from one location to another.CitationHavoc Framework Documentation |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | The Havoc demon can check for a connection to the C2 server from the target machine.CitationZscaler Havoc FEB 2023 |
| Enterprise | T1087 | Account Discovery | Havoc can identify privileged user accounts on infected systems.CitationFortinet Havoc MAR 2025 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Havoc has DLL spawn and injection modules.CitationHavoc Framework Documentation |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Havoc has utilized XOR encryption with the key “01-01-1900” to obfuscate command strings.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | The Havoc demon agent can be set to sleep for a specified time.CitationHavoc Framework DocumentationCitationZscaler Havoc FEB 2023 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | Havoc can use an SMB listener for C2 communication.CitationHavoc Framework DocumentationCitationZscaler Havoc FEB 2023CitationImmersive Labs Havoc C2 APR 2024 |
| Enterprise | T1005 | Data from Local System | Havoc can download files from the victim's computer.CitationHavoc Framework DocumentationCitationImmersive Labs Havoc C2 APR 2024 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Havoc has been executed by victims through the use of targeted lures and crafted decoy documents.CitationCheck Point Wirte NOV 2024 |
| Enterprise | T1106 | Native API | Havoc can use `NtAllocateVirtualMemory` and `NtCreateThreadEx` to aid process injection.CitationHavoc Framework Documentation |
| Enterprise | T1016 | System Network Configuration Discovery | Havoc has a module for network enumeration including determining IP addresses.CitationHavoc Framework Documentation |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Havoc has been distributed through ClickFix phishing campaigns.CitationFortinet Havoc MAR 2025 |
| Enterprise | T1018 | Remote System Discovery | Havoc features a module capable of host enumeration.CitationHavoc Framework Documentation |
Groups, software, and campaigns
G0090: WIRTE
WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 78a28f2fe5b6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack S1229Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.