Posts Covenant C2
Post
Cancel

Covenant C2

In light of being advised to use Covenant during the Cybernetics pro labs from HTB and absolutely falling in love with it’s power, simplicity, and organisation I decided to type up some notes for myself regarding the installation and basic setup.

Setup


Installation and Startup documentation for more details on running with Docker.

1
2
3
4
5
6
7
8
9
10
git clone --recurse-submodules https://github.com/cobbr/Covenant
wget -q https://packages.microsoft.com/config/ubuntu/19.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
dpkg -i packages-microsoft-prod.deb
apt-get update
sudo apt-get install apt-transport-https
sudo apt-get update
sudo apt-get install dotnet-sdk-2.2
cd Covenant/Covenant
dotnet build
dotnet run

Covenant runs on https://0.0.0.0:7443/.


Listeners



The beauty of Covenant listeners is you only need to create one. No more running out of valid ports for reverse shells when you’re pivoting through 6 hosts.


Launchers


After starting a listener you need to create a launcher, the launcher is what is executed on the target host. When it’s executed it spawns a grunt and you’ll receive a connection back on the Covenant interface.

The launcher tab contains a list of the various launchers that can be generated for the desired listener:


The Binary Launcher page for example:


I found that the Net35 Dot Net Framework Version for the Binary Launcher worked on some hosts but not on others, however the Net40 version had no problems whatsoever:


After clicking Generate and Download you should have a GruntStager.exe file downloaded to your local machine. Simply upload and run start /B C:\programdata\GruntStager.exe.


Endpoint Protections


If endpoint protections are up-to-date then the standard launchers will get picked up, donut however allows you to create undetectable grunt launchers that can evade AV and EDR.

This post is licensed under CC BY 4.0 by the author.