building-red-team-c2-infrastructure-with-havoc

The artifact is a clear operational playbook for offensive C2 operations. While it can be legitimate for authorized red-team engagements, the document contains explicit guidance for payload delivery, lateral movement, evasion, and cleanup that make it high-risk if discovered in a software dependency or public repository. The file should be treated as sensitive: remove from public packages/repos, audit related artifacts (payloads, keys), and verify authorization before use. Mitigations include removing plaintext credentials, restricting repository access, and ensuring such templates are tracked only in controlled, legal engagements.

SUSPICIOUS: the skill is internally consistent with its stated purpose, but that purpose is to give an AI agent full offensive C2 and post-exploitation capability. Official-source install steps reduce pure supply-chain concern, yet the skill still poses high security risk due to exploit tooling, credential access, remote file transfer, lateral movement, and disabled TLS verification in the redirector example.

The script is a management/automation client for a Havoc C2 server that can enumerate agents/listeners, create listeners (HTTPS/SMB), and generate payloads. It is dual-use: appropriate for authorized red-team or lab use but dangerous if used against unauthorized targets. I found no obfuscated code or hidden backdoors in this file, but there are insecure choices (verify=False, token passed on CLI, lack of input validation) and explicit functionality that enables offensive/cloud-native C2 operations. If you intend to use this, run only in authorized environments, secure the API token, enable TLS verification, and avoid storing reports with sensitive data in insecure locations.

This content is an explicit operational playbook and IaC for deploying and operating Havoc command-and-control infrastructure and associated malicious payloads. It contains strong, explicit indicators of malicious intent (C2 setup, payload generation, evasion and OPSEC techniques). The Terraform automates provisioning and execution (user_data) that will install and run offensive tooling. Treat this as malicious and high risk; do not deploy or include in trusted supply chains.

The provided document is an API specification for a C2 framework with explicit offensive capabilities (payload generation, listener management, agent command/control). It is dual-use: legitimate for authorized red-team operations but high-risk if misused or if credentials are compromised. The specification shows built-in evasion and persistence techniques and lacks described operational safeguards. Treat any implementation as high-risk: apply strict access control, isolation, auditing, and operational controls before use.