Kharon Agent: Advanced Post-Exploitation Techniques for Cybersecurity Professionals

Listen to this Post

Featured Image

Introduction

The Kharon Agent, developed by security researcher Josué M., is a cutting-edge Mythic-based post-exploitation tool designed for advanced red teaming and penetration testing. With features like lateral movement, in-memory execution, and evasion techniques, it provides cybersecurity professionals with powerful capabilities to simulate real-world attacks. This article explores its key functionalities and provides actionable commands for testing and defense.

Learning Objectives

  • Understand Kharon Agent’s post-exploitation capabilities
  • Learn how to execute lateral movement techniques like WinRM and WMI
  • Explore evasion methods such as hardware breakpoints for bypassing AMSI/ETW

1. Lateral Movement with WinRM (Without PowerShell)

Command:

kharon lateral --technique winrm --target 192.168.1.100 --username admin --hash <NTLM_HASH> 

Step-by-Step Guide:

  1. Replace `192.168.1.100` with the target IP and `` with the captured hash.
  2. The agent uses native WinRM APIs (no PowerShell) for stealthier movement.

3. Verify execution via the Mythic C2 console.

2. In-Memory Execution of .NET Assemblies

Command:

kharon execute --assembly /path/to/SharpHound.exe --args "--CollectionMethod All" 

Step-by-Step Guide:

  1. Loads .NET assemblies directly into memory, avoiding disk writes.
  2. Supports Beacon Object Files (BOFs) for C2 integration.

3. Monitor execution logs in Mythic for output.

3. Bypassing AMSI/ETW with Hardware Breakpoints

Command:

kharon evade --technique hwbp --process explorer.exe 

Step-by-Step Guide:

  1. Targets a process (e.g., explorer.exe) to patch AMSI/ETW in memory.
  2. Uses hardware breakpoints to avoid API hook detection.

3. Validate bypass with `amsi.dll` memory inspection.

4. Kerberos Ticket Manipulation (Rubeus-like)

Command:

kharon kerberos --action asktgt --user victim --password P@ssw0rd --domain corp.local 

Step-by-Step Guide:

1. Requests a TGT for the specified user/domain.

2. Supports `/ptt` (Pass-the-Ticket) and `/dump` functions.

3. Export tickets for offline analysis with Mimikatz.

5. Unmanaged PowerShell Execution

Command:

kharon powershell --script /path/to/script.ps1 --no-amsi 

Step-by-Step Guide:

1. Executes PowerShell scripts without loading `System.Management.Automation.dll`.

  1. Bypasses script logging and AMSI via direct CLR invocation.

3. Use `–no-amsi` to disable AMSI scans.

6. SMB/HTTP Listener Configuration

Command:

kharon listener --protocol smb --port 445 --name smb_c2 

Step-by-Step Guide:

  1. Sets up an SMB listener for C2 communication.

2. HTTP/S listeners support SSL encryption (`–cert /path/to/cert.pem`).

3. Test connectivity with `net use \\192.168.1.100\share`.

7. Exploiting WMI for Lateral Movement

Command:

kharon lateral --technique wmi --target 192.168.1.101 --username admin --password P@ssw0rd 

Step-by-Step Guide:

1. Authenticates via WMI to execute commands remotely.

  1. Avoids `svchost.exe` spawning with direct COM API calls.

3. Mitigation: Restrict WMI permissions via GPO.

What Undercode Say:

  • Key Takeaway 1: Kharon Agent’s hardware breakpoint evasion is a game-changer for bypassing EDR.
  • Key Takeaway 2: Unmanaged PowerShell execution reduces detection risks significantly.

Analysis:

Kharon’s integration of advanced techniques (e.g., Kerberos manipulation, WinRM without PowerShell) positions it as a formidable post-exploitation tool. Defenders should monitor for unusual WMI/SMB traffic and enforce AMSI/ETW hardening. Future updates may include kernel-mode rootkits, raising the bar for detection.

Prediction:

As offensive tools like Kharon evolve, enterprises must adopt memory scanning, restricted admin access, and behavioral analytics to counter in-memory attacks. The line between red teaming and APT tooling will continue to blur.

References:

IT/Security Reporter URL:

Reported By: Josu%C3%A9 M – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin