Covenant C2

1 minute read

In light of being advised to use Covenant during the Cybernetics pro labs from HTB and absolutely falling in love with it’s power, simplicity, and organisation I decided to type up some notes for myself regarding the installation and basic setup.


Installation and Startup documentation for more details on running with Docker.

git clone --recurse-submodules
wget -q -O packages-microsoft-prod.deb
dpkg -i packages-microsoft-prod.deb
apt-get update
sudo apt-get install apt-transport-https
sudo apt-get update
sudo apt-get install dotnet-sdk-3.1
cd Covenant/Covenant
dotnet build
dotnet run

Covenant runs on


The beauty of Covenant listeners is you only need to create one. No more running out of valid ports for reverse shells when you’re pivoting through 6 hosts.


After starting a listener you need to create a launcher, the launcher is what is executed on the target host. When it’s executed it spawns a grunt and you’ll receive a connection back on the Covenant interface.

The launcher tab contains a list of the various launchers that can be generated for the desired listener:

The Binary Launcher page for example:

I found that the Net35 Dot Net Framework Version for the Binary Launcher worked on some hosts but not on others, however the Net40 version had no problems whatsoever:

After clicking Generate and Download you should have a GruntStager.exe file downloaded to your local machine. Simply upload and run start /B C:\programdata\GruntStager.exe.

Endpoint Protections

If endpoint protections are up-to-date then the standard launchers will get picked up, donut however allows you to create undetectable grunt launchers that can evade AV and EDR.