Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/HavocFramework/Havoc/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The config command allows operators to modify the Demon agent’s configuration settings at runtime without regenerating payloads. This enables dynamic adaptation to operational requirements and defensive posture.

Syntax

config [config_key] [config_value]

Configuration Categories

Implant Settings

implant.verbose
boolean
Enable or disable verbose output from the agent.
config implant.verbose true
config implant.verbose false
  • true - Enable detailed logging and output
  • false - Minimal output (default)
implant.sleep-obf.technique
integer
Set the sleep obfuscation technique.
config implant.sleep-obf.technique 2
  • 0 - WaitForSingleObjectEx (no obfuscation)
  • 1 - FOLIAGE
  • 2 - Ekko
implant.sleep-obf.start-addr
string
Configure the return address for stack spoofing during sleep.
config implant.sleep-obf.start-addr ntdll!NtAddBootEntry+0x14
Format: library!function+0xoffsetExample: ntdll!NtAddBootEntry+0x14
implant.coffee.veh
boolean
Enable or disable Vectored Exception Handler for BOF execution.
config implant.coffee.veh true
  • true - Use VEH for exception handling
  • false - Standard exception handling
implant.coffee.threaded
boolean
Enable or disable threaded BOF execution.
config implant.coffee.threaded true
  • true - Execute BOFs in separate threads
  • false - Execute BOFs in main thread

Memory Management

memory.alloc
integer
Set the memory allocation technique.
config memory.alloc 1
  • 0 - VirtualAllocEx (Win32 API)
  • 1 - NtAllocateVirtualMemory (Indirect syscall)
memory.execute
integer
Set the memory protection technique.
config memory.execute 1
  • 0 - VirtualProtectEx (Win32 API)
  • 1 - NtProtectVirtualMemory (Indirect syscall)

Injection Settings

inject.technique
integer
Set the thread creation technique for injection.
config inject.technique 3
  • 0 - Default (configured in profile)
  • 1 - CreateRemoteThread
  • 2 - NtCreateThreadEx (syscall)
  • 3 - NtQueueApcThread (syscall)
inject.spoofaddr
string
Configure return address spoofing for injection.
config inject.spoofaddr kernel32!BaseThreadInitThunk+0x14
Format: library!function+0xoffset
inject.spawn64
string
Set the 64-bit process to spawn for fork & run operations.
config inject.spawn64 C:\Windows\System32\RuntimeBroker.exe
Common options:
  • C:\Windows\System32\werfault.exe
  • C:\Windows\System32\dllhost.exe
  • C:\Windows\System32\RuntimeBroker.exe
  • C:\Windows\System32\svchost.exe
inject.spawn32
string
Set the 32-bit process to spawn for fork & run operations.
config inject.spawn32 C:\Windows\SysWOW64\werfault.exe
Common options:
  • C:\Windows\SysWOW64\werfault.exe
  • C:\Windows\SysWOW64\dllhost.exe
  • C:\Windows\SysWOW64\rundll32.exe

Operational Security

killdate
string
Set or update the agent’s self-destruct date (UTC).
config killdate "2026-12-31 23:59:59"
config killdate 0  # Disable killdate
Format: YYYY-MM-DD HH:MM:SS (UTC)When the kill date is reached, the agent will:
  • Clean up artifacts
  • Exit the thread/process
  • Stop communicating with teamserver
workinghours
string
Set the hours during which the agent will callback.
config workinghours "08:00-17:00"
config workinghours 0  # Disable working hours
Format: HH:MM-HH:MM (24-hour format)Outside working hours, the agent will not check in to the teamserver.

Examples

Configure Maximum OPSEC

# Use indirect syscalls for all operations
config memory.alloc 1
config memory.execute 1
config inject.technique 3

# Enable advanced sleep obfuscation
config implant.sleep-obf.technique 2

# Set legitimate spawn processes
config inject.spawn64 C:\Windows\System32\RuntimeBroker.exe
config inject.spawn32 C:\Windows\SysWOW64\RuntimeBroker.exe

Configure for Speed (Less OPSEC)

# Use faster Win32 APIs
config memory.alloc 0
config memory.execute 0
config inject.technique 1

# Disable sleep obfuscation
config implant.sleep-obf.technique 0

Set Operational Timeframe

# Only operate during business hours (8 AM - 5 PM)
config workinghours "08:00-17:00"

# Set kill date for end of engagement
config killdate "2026-06-30 23:59:59"

Configure BOF Execution

# Enable threaded BOF execution
config implant.coffee.threaded true

# Enable VEH for better error handling
config implant.coffee.veh true

Modify Sleep Obfuscation

# Switch to Ekko sleep obfuscation
config implant.sleep-obf.technique 2

# Configure stack spoofing return address
config implant.sleep-obf.start-addr ntdll!NtAddBootEntry+0x14

Configuration IDs (Internal)

These are the internal command IDs used by the agent (from commands.go:80-98): 
CONFIG_IMPLANT_SPFTHREADSTART  = 3   // Sleep obfuscation start address
CONFIG_IMPLANT_VERBOSE         = 4   // Verbose output
CONFIG_IMPLANT_SLEEP_TECHNIQUE = 5   // Sleep obfuscation technique
CONFIG_IMPLANT_COFFEE_THREADED = 6   // Threaded BOF execution
CONFIG_IMPLANT_COFFEE_VEH      = 7   // VEH for BOFs

CONFIG_MEMORY_ALLOC   = 101  // Memory allocation technique
CONFIG_MEMORY_EXECUTE = 102  // Memory protection technique

CONFIG_INJECT_TECHNIQUE = 150  // Thread creation technique
CONFIG_INJECT_SPOOFADDR = 151  // Injection return address spoofing
CONFIG_INJECT_SPAWN64   = 152  // 64-bit spawn process
CONFIG_INJECT_SPAWN32   = 153  // 32-bit spawn process

CONFIG_KILLDATE     = 154  // Agent kill date
CONFIG_WORKINGHOURS = 155  // Working hours restriction

OPSEC Impact

Recommended settings for evasion:
config memory.alloc 1
config memory.execute 1
config inject.technique 3
config implant.sleep-obf.technique 2
config inject.spawn64 C:\Windows\System32\RuntimeBroker.exe
Impact:
  • Uses indirect syscalls to bypass usermode hooks
  • Advanced sleep obfuscation (Ekko)
  • APC-based injection
  • Legitimate spawn process

Return Values

status
string
Configuration update status: Success or Error
config_key
string
The configuration key that was modified
config_value
string
The new value that was set

Verification

After changing configuration, use checkin to verify settings: 
config inject.spawn64 C:\Windows\System32\RuntimeBroker.exe
checkin
The checkin output will reflect updated configuration values.

Use Cases

Adapt to Detection

# If injection is being detected, switch techniques
config inject.technique 3

# Change spawn process to avoid signatures
config inject.spawn64 C:\Windows\System32\werfault.exe

Operational Constraints

# Only operate during business hours to blend in
config workinghours "08:00-17:00"

# Set kill date for end of red team engagement
config killdate "2026-05-15 23:59:59"

Performance Tuning

# Speed up operations in lab environment
config memory.alloc 0
config memory.execute 0
config implant.sleep-obf.technique 0

Debugging

# Enable verbose output for troubleshooting
config implant.verbose true

# ... run operations ...

# Disable when done
config implant.verbose false

Notes

  • Configuration changes take effect immediately
  • Settings do not persist across agent restarts
  • Some settings only apply to future operations (e.g., spawn process)
  • Kill date and working hours are checked during sleep cycles
  • Invalid values may cause errors or be silently ignored
  • Use checkin to verify configuration changes
  • Profile defaults are used until explicitly changed with config