What is Cymulate and what does it do?

Cymulate is a cybersecurity platform that enables organizations to proactively validate their defenses, identify vulnerabilities, and optimize their security posture. It provides continuous threat validation, exposure management, and automated attack simulations to help security teams stay ahead of emerging threats and improve resilience. [Source]

How does Cymulate's Exposure Validation work?

Cymulate Exposure Validation continuously tests and validates security controls against the latest threats and attack techniques. It uses automated offensive testing with a library of over 100,000 attack actions aligned to the MITRE ATT&CK framework and daily threat intelligence, providing actionable insights for prevention and detection. [Source]

What is the Havoc Demon and how does it operate?

The Havoc Demon is a post-exploitation command and control implant generated via the Havoc Framework. It is delivered through a multi-stage infection chain, involving a downloader, shellcode loader, and reflective DLL injection. Once deployed, it connects to a command and control server, executes tasks, and communicates via AES-encrypted channels. The implant uses advanced evasion techniques such as ETW patching and memory mapping without headers to avoid detection. [Source]

What is the infection chain described in the 'Havoc Across the Cyberspace' report?

The infection chain starts with a ZIP archive containing a downloader that executes a BAT script, which downloads and runs the Havoc Demon Agent. The process involves decrypting and executing shellcode, disabling Windows event tracing, and reflectively loading a DLL implant for command and control operations. [Source]

How does the Havoc Demon evade detection?

The Havoc Demon uses several evasion techniques, including patching the Event Tracing for Windows (ETW) API to prevent event logging, memory mapping its DLL implant without headers, and using AES encryption for payloads and communications. These methods help it avoid detection by security tools. [Source]

What are the main functions executed by the Havoc Demon?

Upon execution, the Havoc Demon runs four main functions: DemonInit (initialization), DemonMetaData (metadata collection), DemonConfig (configuration parsing), and DemonRoutine (main loop for C2 communication and task execution). [Source]

How does the Havoc Demon communicate with its command and control server?

The Havoc Demon establishes a session with its C2 server using AES-encrypted packets. It can use HTTP or SMB for transport, sending metadata and receiving commands, which are executed on the victim machine. Results are encrypted and sent back to the server. [Source]

What is the role of the KaynLdr shellcode in the Havoc infection chain?

The KaynLdr shellcode is responsible for reflectively loading the Havoc Demon DLL implant into memory. It resolves necessary API addresses, maps the DLL, and executes its entrypoint, enabling the post-exploitation capabilities of the Havoc Demon. [Source]

What configuration options are used by the Havoc Demon in this campaign?

The configuration includes sleep intervals, injection and execution methods (native/syscall), process spawning paths, sleep obfuscation techniques, transport method (HTTP), secure transport flag, and user agent string. These settings control how the Demon operates and communicates. [Source]

How does Cymulate help organizations defend against threats like Havoc?

Cymulate enables organizations to simulate real-world threats, including advanced malware like Havoc, to test and validate their defenses. By continuously running attack simulations and validating exposures, Cymulate helps identify gaps and optimize security controls before attackers can exploit them. [Source]

Where can I find a demo of Cymulate's threat validation capabilities?

You can view demos such as 'Threat Validation Demo' and 'From Control Validation to Exposure Validation' on Cymulate's website. These demos show how Cymulate helps security teams quickly validate protection against new threats and move from control validation to true exposure validation. [Threat Validation Demo] [From Control Validation to Exposure Validation]

What is the MITRE ATT&CK framework and how does Cymulate use it?

The MITRE ATT&CK framework is a globally recognized knowledge base of adversary tactics and techniques. Cymulate aligns its attack simulations with MITRE ATT&CK, enabling organizations to test their defenses against real-world attack scenarios and improve detection and response. [Source]

What is Cymulate's Exposure Management Platform?

Cymulate's Exposure Management Platform is a unified solution that integrates continuous threat validation, exposure prioritization, attack path discovery, and automated mitigation. It helps organizations manage and reduce their cyber risk by providing actionable insights and automating security validation processes. [Source]

How does Cymulate's Automated Mitigation feature work?

Cymulate's Automated Mitigation feature integrates with security controls to push updates for immediate prevention of threats. It enables organizations to respond quickly to validated exposures by automating the remediation process. [Source]

What is the difference between control validation and exposure validation?

Control validation tests whether security controls are functioning as intended, while exposure validation goes further by simulating real-world attack scenarios to determine what is actually exploitable in your environment. Cymulate enables organizations to move from basic control validation to comprehensive exposure validation. [Source]

How does Cymulate support different security roles and teams?

Cymulate provides tailored solutions for CISOs, SecOps teams, Red Teams, and Vulnerability Management teams. Each persona benefits from features like quantifiable metrics, automated testing, actionable insights, and efficient vulnerability prioritization. [CISO] [SecOps] [Red Teams] [Vulnerability Management]

What are some real-world case studies of Cymulate in action?

Cymulate has helped organizations like Hertz Israel reduce cyber risk by 81% in four months, and Nemours Children's Health improve detection in hybrid and cloud environments. More case studies are available on the Cymulate website. [Case Studies]

Where can I find a glossary of cybersecurity terms?

Cymulate provides a continuously updated glossary of cybersecurity terms, acronyms, and jargon. You can access it at our Glossary page .

What are the key features of Cymulate's platform?

Cymulate offers continuous threat validation, unified exposure management, attack path discovery, automated mitigation, AI-powered optimization, complete kill chain coverage, an extensive threat library, and an intuitive interface. These features help organizations improve security posture, operational efficiency, and threat resilience. [Source]

How does Cymulate integrate with other security technologies?

Cymulate integrates with a wide range of security technologies, including Akamai Guardicore, AWS GuardDuty, BlackBerry Cylance OPTICS, Carbon Black EDR, Check Point CloudGuard, Cisco Secure Endpoint, CrowdStrike Falcon, Wiz, SentinelOne, and more. For a full list, visit our Partnerships and Integrations page .

What is Cymulate's Threat (IoC) updates feature?

The Threat (IoC) updates feature provides recommended Indicators of Compromise that can be exported and applied directly to security controls, improving threat resilience by enabling rapid defense against new threats. [Source]

How does Cymulate support a threat-informed defense strategy?

Cymulate supports a threat-informed defense by continuously validating security controls against the latest threats and attack techniques, ensuring defenses are always prepared for current and emerging adversarial methods. [Source]

What is Cymulate's approach to continuous threat validation?

Cymulate provides 24/7 automated attack simulations, validating security posture in real-time and ensuring organizations stay ahead of emerging threats. [Source]

How does Cymulate's platform help with operational efficiency?

Cymulate automates security validation processes, saving up to 60 hours per month in testing new threats and increasing team efficiency by up to 60%. [Source]

What is Cymulate's implementation process and how easy is it to start?

Cymulate is designed for quick, agentless deployment with minimal resources required. Customers can start running simulations almost immediately, supported by comprehensive documentation, email and chat support, and educational resources. [Source]

What feedback have customers given about Cymulate's ease of use?

Customers consistently praise Cymulate for its intuitive, user-friendly interface and actionable insights. Testimonials highlight easy implementation, accessible support, and immediate value in identifying security gaps. [Source]

What security and compliance certifications does Cymulate hold?

Cymulate holds SOC2 Type II, ISO 27001:2013, ISO 27701, ISO 27017, and CSA STAR Level 1 certifications, demonstrating adherence to industry-leading security and privacy standards. [Source]

How does Cymulate ensure data security and privacy?

Cymulate uses encryption for data in transit (TLS 1.2+) and at rest (AES-256), secure AWS-hosted data centers, a tested disaster recovery plan, and a dedicated privacy and security team including a DPO and CISO. [Source]

Is Cymulate GDPR compliant?

Yes, Cymulate incorporates data protection by design and maintains GDPR compliance, supported by a dedicated privacy and security team. [Source]

What is Cymulate's pricing model?

Cymulate uses a subscription-based pricing model tailored to each organization's requirements. Pricing depends on the chosen package, number of assets, and scenarios selected. For a detailed quote, you can schedule a demo .

How does Cymulate differ from traditional security validation tools?

Cymulate offers a unified platform that combines Breach and Attack Simulation, Continuous Automated Red Teaming, and Exposure Analytics. It provides continuous, automated, and comprehensive validation, unlike traditional tools that rely on point-in-time assessments or manual penetration tests. [Source]

What are the advantages of Cymulate for different user segments?

CISOs benefit from quantifiable metrics and strategic alignment, SecOps teams gain operational efficiency, Red Teams access automated offensive testing, and Vulnerability Management teams improve prioritization and validation. [CISO] [SecOps] [Red Teams] [Vulnerability Management]

How does Cymulate's Exposure Validation compare to manual penetration tests?

Cymulate's Exposure Validation provides automated, continuous testing with a large library of attack actions, easy integrations, and automated mitigation, overcoming the limitations of infrequent and manual pen tests. [Source]

Who can benefit from using Cymulate?

Cymulate is designed for organizations of all sizes and industries, including finance, healthcare, retail, media, transportation, and manufacturing. It supports roles such as CISOs, SecOps teams, Red Teams, and Vulnerability Management teams. [Source]

What problems does Cymulate solve for security teams?

Cymulate addresses fragmented security tools, resource constraints, unclear risk prioritization, cloud complexity, communication barriers, inadequate threat simulation, operational inefficiencies, and post-breach recovery challenges. [Source]

How does Cymulate help with risk prioritization?

Cymulate validates exploitability and ranks exposures based on prevention and detection capabilities, business context, and threat intelligence, helping organizations focus on the most critical vulnerabilities. [Source]

What measurable outcomes have Cymulate customers achieved?

Customers have reported a 52% reduction in critical exposures, a 60% increase in team efficiency, and an 81% reduction in cyber risk within four months. [Hertz Israel Case Study]

How does Cymulate help organizations with cloud security validation?

Cymulate secures hybrid and cloud infrastructures through automated compliance and regulatory testing, helping organizations address new attack surfaces and validation challenges introduced by cloud environments. [Source]

What is Cymulate's vision and mission?

Cymulate's vision is to transform cybersecurity practices by enabling organizations to proactively validate their defenses, identify vulnerabilities, and optimize their security posture, fostering a collaborative environment for lasting improvements. [Source]

Havoc Across the Cyberspace

February 24, 2023

The infection chain utilized by the threat actors for delivering the Havoc Demon on the target machines commences with a ZIP Archive named "ZeroTwo.zip" consisting of two files "character.scr" and "Untitled Document.docx" Further the screen saver file "character.scr" is basically a downloader commissioned to download and execute the Havoc Demon Agent on the victim machine. The Downloader binary is compiled using a BAT to EXE converter "BAT2EXE" which allows users to convert Batch scripts into executables as shown in the screenshot below. Once executed the BAT2EXE compiled binary loads and decrypts the Batch Script from the .rsrc section. The binary then writes and executes the decrypted BAT script from the Temp folder. The Decrypted BAT Script upon execution performs the following tasks: Checks whether "teste.exe" exists in the Temp folder, if not, it downloads the final payload from http[:]//146[.]190[.]48[.]229/pics.exe and saves it as "seethe.exe" in the Temp folder via Invoke-WebRequest and then executes it using "start seethe.exe" Then it checks whether "testv.exe" exists in the Temp folder, if not, it downloads an image from "https[:]//i[.]pinimg[.]com/originals/d4/20/66/d42066e9f8c4b75a0723b8778c370f1d.jpg" and saves it as images.jpg in the Temp folder and opens it using images.jpg. Havoc Demon is the implant generated via the Havoc Framework - which is a modern and malleable post-exploitation command and control framework created by @C5pider. The Downloaded payload "pics.exe" is the "Shellcode Loader" which is signed using Microsoft's Digital certificate. Upon execution the Shellcode Loader at first disables the Event Tracing for Windows (ETW) by patching the WinApi "EtwEventWrite()" which is responsible for writing an event. ETW Patching process: Retrieves module handle of ntdll.dll via GetModuleHandleA Retrieves address of EtwEventWrite via GetProcAddress Further it changes the protection of the region via VirtualProtect and then overwrites the first 4 bytes of the EtwEventWrite with following bytes: 0x48,0x33,0xc0,0xc3 (xor rax,rax | ret) By patching the EtwEventWrite function the ETW will not be able to write any events thus disabling the ETW. Then the payload AES decrypts the shellcode using CryptDecrypt() as shown in the screenshot below - in this case the Algorithm ID used is "0x00006610" - AES256 Once the Shellcode is decrypted, the Shellcode is executed via CreateThreadpoolWait() where at first it creates an event object in a signaled state via CreateEventA(), then allocates RWX memory via VirtualAlloc() and writes the Shellcode in the allocated memory. Further it creates a wait object using CreateThreadpoolWait, here the first argument - callback function is set to the address of the shellcode. Then it set's the wait object via the NtApi "TpSetWait" and at last calls the WaitForSingleObject which once executed checks if the waitable object is in signaled state, as event was created in signaled state the callback function is been executed i.e the decrypted shellcode is been executed and the control flow is been transferred to the shellcode. KaynLdr - Shellcode The Shellcode in this case is the "KaynLdr" which is commissioned to reflectively load the Havoc's Demon DLL implant by calling its entrypoint function. Once the Shellcode is executed it retrieves the image base of the Demon DLL which is embedded in the shellcode itself by executing the following inline assembly function called KaynCaller. Further the KaynLdr performs the API Hashing routine in order to resolve the virtual addresses of various NTAPI's by walking the export address table of the ntdll.dll (Function: LdrFunctionAddr) and initially the virtual address of the NTDLL.dll is been retrieved by walking the Process Environment Block (Function: LdrFunctionAddr). Virtual Addresses for the following module and NTAPI's are retrieved by using the API Hashing routine where the hardcoded DJB2 hashes are compared with the dynamically generated hash. Further the Embedded Demon DLL is memory mapped and the base relocations are calculated if required in an allocated memory page procured by calling the NtAllocateVirtualMemory(). Also the page protections are changed via multiple calls to NtProtectVirtualMemory. The Demon DLL is memory mapped in the Allocated memory without the DOS and NT Headers in order to evade detection mechanisms. Now once the Demon DLL is memory mapped the KaynDllMain i.e the entrypoint of the DLL is executed by the KaynLdr as shown below, from there on the control is transferred to the Havoc Demon DLL Implant. The entrypoint of the Havoc Demon DLL is executed by the KaynLdr as discussed previously. Now as the Havoc Demon has many features, Analysts only focus on a few of them in the following blog, as the features can be deduced from its source at: https://github.com/HavocFramework/Havoc So once the Havoc Demon is been executed there are four functions which are been executed by the DemonMain(): DemonInit DemonMetaData DemonConfig DemonRoutine The DemonInit is the initialization function which Retrieves the virtual addresses of functions from modules such as ntdll.dll/kernel32.dll by calling the API Hashing Routine discussed previously. Retrevies Syscall stubs for various NTAPI's Loads various Modules via walking the PEB with stacked strings Initialize Session and Config Objects such as Demon AgentID, ProcessArch etc. Now let's understand how the Configuration is being parsed via the DemonConfig() function. The DemonConfig function parses the configuration by indexing the various required values from the config. Following is the configuration for the Demon DLL used in the campaign. Configuration: Sleep: 2 (0x2) Injection: Allocate: Native/Syscall (0x2) Execute: Native/Syscall (0x2) Spawn: x64: C:WindowsSystem32notepad.exe x86: C:WindowsSysWOW64notepad.exe Sleep Obfuscation Technique: Ekko (0x2) Method: POST Host: 146[.]190[.]48[.]229 Transport Secure: TRUE UserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537/36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 The DemonRoutine() function is the main loop for the malware, it is responsible for connecting to the command and control (C2) server, waiting for tasks from the server, executing those tasks, and then waiting again for more tasks and running indefinitely. It does the following things: First, it checks if it is connected to the C2 server. If not, it calls TransportInit() to connect to the server. If the connection is successful, it enters the CommandDispatcher() function, which is responsible for a task routine which parses the tasks and executes them until there are no more tasks in the queue. If the malware is unable to connect to the C2 server, it will keep trying to connect to the server again TransportInit() is responsible for connecting to the C2 server and establishing a session. It first sends the AES encrypted MetaData packet i.e the Check-in request generated via the DemonMetaData() function through the PackageTransmit() function, which could be sending data over HTTP or SMB, depending on the value of the TRANSPORT_HTTP or TRANSPORT_SMB macro. If the transmission is successful, it then decrypts the received data using AES encryption with a given key and initialization vector on the TeamServer. The decrypted data is then checked against the agent's ID, and if they match, the session is marked as connected and the function returns true. TransportSend() is used to send data to the C2 server. It takes a pointer to the data and its size as input, and optionally returns received data and its size.It then creates a buffer with the data to be sent, and depending on the transport method, it either sends the data over HTTP or SMB. On the Teamserver end the CheckIn request with the metadata packet is been decrypted and showcased on the terminal with both encrypted and decrypted details of packets sent and received. After the demon is deployed successfully on the target's machine, the server is able to execute various commands on the target system. If the command "whoami" is issued to the payload, it would trigger the execution of the command and display the current user running the session.The server logs the command and its response upon execution. Once the command is executed on the victim machine, the command output is AES Encrypted and then sent to the CnC server.

Featured Resources

View More Resources

blog

Handala Hack: From Regional Disruption to Digital Destruction — Why Security Validation Matters Now

After years of battling ransomware and financially motivated threats, security teams must now increase their focus to defend against digital destruction. Iranian-backed Handala Hack highlighted the growing threat with its claimed attacks against a U.S.-based medical equipment maker, with reports of widespread deletion of data