Covenant C2

1 minute read

In light of being advised to use Covenant during the Cybernetics pro labs from HTB and absolutely falling in love with it’s power, simplicity, and organisation I decided to type up some notes for myself regarding the installation and basic setup.

Setup


Installation and Startup documentation for more details on running with Docker.

git clone --recurse-submodules https://github.com/cobbr/Covenant
wget -q https://packages.microsoft.com/config/ubuntu/19.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
dpkg -i packages-microsoft-prod.deb
apt-get update
sudo apt-get install apt-transport-https
sudo apt-get update
sudo apt-get install dotnet-sdk-2.2
cd Covenant/Covenant
dotnet build
dotnet run

Covenant runs on https://0.0.0.0:7443/.


Listeners



The beauty of Covenant listeners is you only need to create one. No more running out of valid ports for reverse shells when you’re pivoting through 6 hosts.


Launchers


After starting a listener you need to create a launcher, the launcher is what is executed on the target host. When it’s executed it spawns a grunt and you’ll receive a connection back on the Covenant interface.

The launcher tab contains a list of the various launchers that can be generated for the desired listener:


The Binary Launcher page for example:


I found that the Net35 Dot Net Framework Version for the Binary Launcher worked on some hosts but not on others, however the Net40 version had no problems whatsoever:


After clicking Generate and Download you should have a GruntStager.exe file downloaded to your local machine. Simply upload and run start /B C:\programdata\GruntStager.exe.


Endpoint Protections


If endpoint protections are up-to-date then the standard launchers will get picked up, donut however allows you to create undetectable grunt launchers that can evade AV and EDR.