Deploying a ./HAVOC Campaign

Overview

./HAVOC is a post-exploitation toolkit which leverages playbooks to automate the deployment of attacker infrastrucure in AWS. It provides a method to automatically deploy attacker toolkits (such as Powershell Empire and Meterpreter) in containers, and automate interaction with them. This allows for a flexible and automated method for testing and emulating advanced attacker TTPs.

./HAVOC establishes a C2 listener via a containerized Powershell Empire, and playbooks which can be configured and run from your command line.

The ./HAVOC GitHub is located here.

Prerequisites

The prerequisites for a ./HAVOC campaign are as follows:

• Personal AWS Account - Will also need a user that has full admin privileges (required)

• ZeroTier - Configured and Connected to Networkd ID: a0cbf4b62a48096f

• SE-Dev Win10 VM - IP addresses and credentials, connected via RDP.

• An Ubuntu Linux VM (Campaign Manager) - Will manage the ./HAVOC campaign and act as the playbook operator.

  • Ubuntu Server Download

Build ./HAVOC Campaign Manager

If you have already deployed the Ubuntu VM to use as the ./HAVOC Campaign Manager, proceed to the next section.

It is recommended to run a local VM as your campaign manager. If you’re on an M1 Mac and prefer not to run VMs locally in Parallels, you can provision an EC2 instance in your AWS account to act as your campaign manager.

Note: If you do go the EC2 instance route, make sure to perform all of your ./HAVOC deployment and playbook operation tasks through a tmux session or you'll run the risk of having an incomplete deployment or orphaned resources as a result of being disconnected from your SSH session.

We will not provide instructions to create the Ubuntu VM as instructions will very by workstation virtualization solution and OS.

Desktop Virtualization Providers:

• VMWare Fusion Preview (Mac M1)

• VMware Fusion (Mac)

• VMware Workstation (Windows)

• Parallels (Windows & Mac)

• VirtualBox (Windows & Mac (Intel Only)) Free

./HAVOC Campaign Deployment

If you don’t already have an AWS account, follow the Create AWS Account to create one now.

Note: The GCO team does not have sufficient privileges in the Vectra AWS org accounts (e.g. vectra-se-dev) to provision a ./HAVOC campaign. For that reason, lab participants must create a standalone AWS account.

Create a ./HAVOC user in AWS with Admin Privileges

1. In the AWS Management Console navigate to the User groups page by typing IAM in the search field.

2. Select Groups under Features

   

3. Click Create Group

   

4. Fill in the following values, and click Create Group:

   • Name the group

     • User group name - Administrators

   • Attach permissions policies - Optional

     • AdministratorAccess - Checked
       
       
       
       

5. In the AWS Management Console navigate to the IAM > User page.

6. Click Add users

7. Fill in the following values, and click Next: Permissions:

   • User name - havoc-deploy

   • Access key - Programmatic access - Checked
     
     

8. Fill in the following values, and click Next: Tags:

   • Administrators - Checked
     
     

9. Click Next: Review > Create user

   Note: When user creation is complete, make sure to download the .CSV file that contains the access key and secret key for your havoc-deploy user.

Stage the ./HAVOC Campaign Manager (Playbook Operator Machine) on anUbuntu VM

You will need to install the ./HAVOC campaign prerequisites on your Campaign Manager Ubuntu VM as outlined in the ./HAVOC documentation.

Note: The following instructions are for Intel based Ubuntu VMs, if you are on a M1 Mac, you will need the ARM version of Ubuntu and ARM versions of the following packages. You may need to Google what they are called, though generally **arm64**.

1. Install Common Packages

   sudo apt update && sudo apt install -y ssh vim net-tools curl git python3-pip python3-dev python3-venv unzip
   

Install AWS CLI

1. Download the Package

   x86 Version

   curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
   

   ARM Version

   curl "https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" -o "awscliv2.zip"
   

2. Unzip the installer

   unzip awscliv2.zip
   

3. Run the install program

   sudo ./aws/install
   

Install Terraform

Note: Terraform 1.1.6 is specified below which must be used. Do not use the current version.

1. Download the package

   x86 Version

   curl https://releases.hashicorp.com/terraform/1.1.6/terraform_1.1.6_linux_amd64.zip -o "terraform_1.1.6_linux_amd64.zip"
   

   ARM Version

   curl https://releases.hashicorp.com/terraform/1.1.6/terraform_1.1.6_linux_arm64.zip -o "terraform_1.1.6_linux_arm64.zip"
   

2. Unzip the installer x86 or ARM

   x86 Version

   unzip terraform_1.1.6_linux_amd64.zip
   

   ARM Version

   unzip terraform_1.1.6_linux_arm64.zip
   

3. Move the terraform directory into place

   sudo mv terraform /usr/local/bin
   

Setup AWS Profile

1. Now let’s setup the AWS profile for havoc-deploy. You will be prompted for:

   • Access Key ID - access key from CSV file

   • AWS Secret Access Key - secret key from CSV file

   • Default region name - us-west-1

   • Default output format - json

   aws configure --profile havoc-deploy
   

   

Download and Install ./HAVOC

1. Download the ./HAVOC git repository into your home directory.

   cd ~
   git clone --recurse-submodules https://github.com/havocsh/havoc.git
   

2. Initiate the deployment process

   cd havoc
   ./havoc -d aws
   

3. The ./HAVOC deployment script will prompt you for several inputs. Provide the following inputs to the prompts:

   • AWS region - us-west-1

   • AWS profile - havoc-deploy

   • ./HAVOC campaign name - firstname-lastname

   • ./HAVOC campaign administrator email - your_email_address

   • Task results queue expiration - 30

   • Enable custom domain name? (Y/N) - N
     
     

   Note: The deployment process will take several minutes.

4. Once the resources are deployed, you will be prompted for a few more inputs that will be used to configure the local ./HAVOC environment on your campaign manager machine. Provide the following inputs to the prompts:

   • ./HAVOC credential profile name [default] - firstname-lastname

   • Output format (table|json) [table] - json
     
     

   Note: After responding to the prompts above, the local environment will be setup and your campaign deployment details will be provided.

5. Copy the campaign deployment details and store them somewhere safe just in case you need them again later. The campaign deployment details will look like similar to this.

   

You can see the entire output of the deployment script in the ./HAVOC Deployment Output reference page.

Validation

Take Screen shot of your output above. You will show it to the validator after the next lab.