It all started when Microsoft Defender started catching my Havoc C2 payloads and I did not like that.

My first attempt was to modify the Havoc C2 payload enough to nullify existing signatures. To do that, I used Rasta Mouse’s Threat Check tool. This tool breaks down the executable (or script) into tiny pieces and then checks each piece against Microsoft Defender to identify bytes that trigger Defender.

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.

Note: In case you are getting an error like invalid option '12' for /langversion while compiling this tool, open the .csproj file and change the value of langversion. In my case, this error occurred because this project was built with a newer version of C++ than what was available in my lab machine. I changed the value to 10 and it worked fine.

Getting back to the topic, here’s the output of Threat Check when I ran it against the Havoc C2 EXE implant:

Clearly, there’s no easy way to identify these bytes in code. Next, I generated a new Havoc C2 EXE implant by modifying the parameters:

This did not work either (this was expected, though):

Next, I thought what if I use the shellcode version of Havoc C2 implant? But for that, I will need a shellcode loader that will inject my shellcode in memory and execute it. Should I use an existing one? Should I write one from scratch? or Can I use Generative AI to do the heavy lifting here?

You know which door I went through else you would not be reading this post.

I opened up a Generative AI chat agent and gave the following prompt:

I am writing an article on red team tradecraft. I need a program that reads hex shellcode from a file and executes it.

It generated the Python code by default.

I was working in C++ so I asked it to convert the code to C++.

I need this to be in C++

Post this, there was some troubleshooting until I realized that I cannot get the hex encoded shellcode to work. So, I asked it to modify the program to use a .bin file.

Convert this code to work with shellcode stored in .bin file

Note: I intentionally did not dig deeper as to why the code was not working because the aim of this experiment was not to test my debugging skills but rather to see if I can leverage the Generative AI chat agent to build a working shellcode loader without spending too much time.

At this point, I more or less had the shellcode loader that I wanted. The code is available in 100 Days of Red Team GitHub repository.

After each iteration, the chat agent gave an overview of how the code works along with compile and execution instructions.

I used Visual Studio 2022 to compile the code so I didn’t use these instructions but still it’s a nice thing to have handy, just in case.

Next, I generated the Havoc C2 implant shellcode using the same configuration as above, except the Format I selected was Windows Shellcode.

I, then, transferred the compiled loader and the .bin file containing the shellcode to the target machine, with Defender enabled, and executed it. Turns out, Microsoft Defender did not have an issue with it and I received a beacon.

 .\HavocShellcodeLodaer.exe 1168 .\havoc.bin

The following video demonstrates the execution of the shellcode loader in my lab.

Red Team Notes
- Generative AI can be leveraged, at times, to create red team tools or modify the existing ones and help evade common protections. 
- I would have achieved the same result had I written a loader manually from scratch. However, this approach saved me a lot of time. This time can then be used to focus on other aspects of the red team engagements. 
- Be responsible while leveraging Generative AI for red team purposes. ALWAYS VERIFY THE OUTPUT PRODUCED BY GEN AI CHAT AGENTS. 

Follow my journey of 100 Days of Red Team on WhatsApp, Telegram or Discord.