Revenant is a 3rd party agent for Havoc written in C, and based on Talon. This implant is meant to expand on the Talon implant by implementing covert methods of execution, robust capabilities, and more customization.
This project aims to be a self-contained Havoc C2 implant. The goal end-user functionality is as follows:
***NOTE*** As of August 2023, Havoc 0.6 broke support for 3rd party agents. @C5pider intends to bring the functionality back in a future release, but for the time being use Havoc 0.5 available here: https://github.com/0xTriboulet/Havoc_0.5
HAVOC (DEV) HAS BEEN PATCHED TO SUPPORT 3RD PARTY AGENTS: https://github.com/HavocFramework/Havoc/tree/dev
- Download repo
- Unzip Revenant.zip
- pip install black
- startup Havoc (./havoc server --profile ./profiles/havoc.yaotl -v --debug & ./havoc client )
- Go to root folder
- python Revenant.py
- ???
- PROFIT
x86 and Win 7 Compatability:
- Disable NativeAPI
Note: Revenant uses NtCreateUserProcess to deliver NativeAPI functionality. NtCreateUserProcess is not supported by x86 or Win 7
- pwsh - executes commands through powershell.exe -> pwsh ls
- shell - executes commands through cmd.exe -> shell dir
- download - downloads file to loot folder -> download C:\test.txt
- upload - uploads file to desired folder -> upload /home/test.txt C:\temp\test.txt
- exit - kills current implant -> exit
- Sleep - Set sleep in seconds
- Polymorphic - Enable/Disable polymorphism at build and run time
- Obfuscation - Obfuscate strings with XOR
- Arch - x86/x64
- Native - Use NativeAPI where implemented
- AntiDbg - Leverage antidebug checks at initialization
- RandCmdIDs - Randomize command IDs
- Unhooking - GhostFart/Perun's Fart method to unhook, exec command, then rehook
Note: RandCmdIDs randomizes the CmdIDs in the output executable. Revenant does NOT store these random CmdIDs; these will only work with the active session. If you want a reusable executable, do NOT enable this option.
- Add exec-assembly
- Add cd, ls, whoami commands
- Decrease entropy