Skip to content
/ Kharon Public
forked from MythicAgents/Kharon-Mtc

C2 Agent fully PIC for Mythic with advanced evasion capabilities, dotnet/powershell/shellcode/bof memory executions, lateral moviments, pivot and more.

0 stars 35 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

pondzikk/Kharon

BranchesTags
 
 

Repository files navigation

Kharon Agent

khimg

C2 Agent for Mythic with advanced evasion capabilities, supporting dotnet/powershell/shellcode/BOF memory execution, lateral movement, pivoting, and more. Kharon is a fully Position-Independent Code (PIC) shellcode.

Author links

Important

This project is under development.

TODO

  • Token Manipulation (fix)
  • Beacon SMB
  • Socks
  • Upload/Download
  • WinRM Exec

Listener

  • HTTP/S: Web-based encrypted communication
  • SMB: Named pipe-based C2 channel

Evasion

  • Uses hardware breakpoints to bypass AMSI/ETW.
  • Sleep obfuscation via timers.
  • Heap obfuscation during sleep (XOR).
  • Indirect syscalls.
  • Call stack spoofing.

Execution in memory

Supports injection of dotnet assembly, shellcode, and Beacon Object File (BOF). All execution is inline with exception of the shellcode for a while.

General

Allows customization of injection techniques, including:

  • Allocation: DripAlloc or standard allocation.
  • Writing: WriteMemoryAPC or standard memory writing (for inline is just used custom memcpy).

Methods

  • Dotnet: Can inject .NET assembly and execution in memory.
  • Powershell: Its using PowerPick, you can pass the command for execution.
  • Shellcode: Standard shellcode execution in memory, Support to use your own shellcode to execute post-ex operations.
  • BOF (Beacon Object File): Beyond standard BOF execution, the agent provides custom APIs such as metioned in documentation. Future updates may include more APIs. The advantage of using these APIs is that they execute in the preferred context with stack spoofing and/or indirect syscalls.

Lateral Movement

Advanced movement techniques:

  • WMI: Windows Management Instrumentation execution
  • SCM: Service-based execution with custom implementation
  • WinRM: Windows Remote Management execution via COM without spawn powershell binary

Process Creation

  • PPID Spoofing: Masquerade as child of legitimate processes (explorer.exe, svchost.exe, etc.)
  • BlockDLL Enforcement: Restrict non-Microsoft DLL injection

Kerberos Interactions

Some command to kerberos interaction like klist, ptt, describe, triage, s4u and more.

Misc Commands

  • Registry Interaction
  • SCM Interaction
  • Token Manipulation
  • Some Netapi32 commands
  • Slack cookie dump
  • ipconfig, whoami, env, arp, dns cache and uptime

Check the References!

About

C2 Agent fully PIC for Mythic with advanced evasion capabilities, dotnet/powershell/shellcode/bof memory executions, lateral moviments, pivot and more.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C++ 88.4%
  • Python 8.3%
  • C 2.5%
  • JavaScript 0.5%
  • Assembly 0.2%
  • Makefile 0.1%