Documentation
WorkingHours And KillDate
Working hours
Havoc supports working hours, which you can set in two ways.
- via a command on the agent console:
config workinghours 8:30-17:00
(can be changed as many times as desired) - via the profile:
Http { Name = "foo" WorkingHours = "8:30-17:00" ... } Smb { Name = "bar" WorkingHours = "8:30-17:00" ... }
Once set, the agent will only connect back to the teamserver when the time is within the working hours.
If you configured your implant to encrypt itself during sleep, the implant will remain encrypted during the entire offhours period.
If the sleep time is set to 0 and the end of working hours is reached, then the agent will ignore the working hours and continue to operate normally. This is to avoid interrupting an important task.
Importantly, the start and end time must be in 24 hours format and it will be interpreted as local to the compromised machine, meaning that is the timezone of the victim computer the one that matters, not the one belonging to the operator.
To disable working hours altogether, run: config workinghours 0
KillDate
You can set the KillDate directly on the profile:
Http { Name = "foo" KillDate = "2023-10-02 15:04:05" ... } Smb { Name = "bar" KillDate = "2023-10-02 15:04:05" ... }
Also, you can set or update it dynamically by running: config killdate 2023-10-02 15:04:05
If you want to remove the killdate entirely, run: config killdate 0
Always remember that the KillDate is interpreted as UTC, and NOT in any other timezone.
If an agent with a KillDate that has already passed is executed, it will terminate execution immediately and won't even try to contact the teamserver.
Finally, when a KillDate is reached, the main thread will call RtlExitUserThread
, which is not necessarily what you want on all scenarios.
On this page
- WorkingHours And KillDate
- Working hours
- KillDate