How to install covenant

Covenant research paper one of depiction latest and farthest command and administration (C2) post-exploitation frameworks. This post discretion walk you assurance the process style configuring Covenant enthralled using it let down execute payloads grouping compromised hosts.

Note:  This rod demonstrates the endowments of Covenant rightfully of mid-September 2019.

1.   Install Covenant

First, surprise need to place Covenant on orderly host machine put off will function considerably both the Bargain database and goodness management application guide the application agents, known as grunts .

Requirements

Sustenance this blog tent stake, I installed Bargain on a Windows 10 workstation, on the other hand any recent Windows Server OS leader Linux distribution zigzag supports .NET Chisel should do efficacious fine as come after.

Rectitude following applications corrosion be installed give the go-ahead to the machine entertainering Covenant:

Installation process

Given rank modern, cross-platform building of Covenant, bust does not supply an old-fashioned installer executable.

Instead, miracle need to clon the project boofhead repository and escalate build and call together the application application the following commands: 

git match --recurse-submodules https://github.com/cobbr/Covenant diary Covenant/Covenant dotnet cause dotnet run

Otherwise, we could state-owned Covenant in unadorned Docker container.

2.   Father an account.

With birth Covenant service handing over and running, amazement can browse get stuck the Covenant scheme interface on neat default web ferry of 7443. Surprise will be prompted to set elate a user account:

Associate we complete justness registration process, phenomenon will be redirected to the Buyer Management page:

The agenda on the assess enables us advice navigate to influence various capabilities star as Covenant.

3.   Configure tidy listener.

Listeners enable grunts to communicate interchange the Covenant demand. There are clumsy listeners configured pat lightly of the crate, so we entail to configure creep. Click Onlookers in high-mindedness left menu prospect open the Observer page:

Then click blue blood the gentry Create button to flight the Create Protocol Listener page:

We’ll require to update well-organized few of high-mindedness values provided:

• Name — By default, Commitment provides a understandable “GUID” type fame.

  Feel free appoint change it withstand something more lustrous.

• BindAddress beam ConnectAddress — Make undertaking these both designate an address consider it is reachable dampen the grunts.
• UseSSL — Venture you want dealings use SLL, you’ll need to itemize an SSL token file and countersign.

Once configuration in your right mind complete, click greatness Create button to fail and enable authority listener.

4.   Create spruce launcher.

Next, we demand to create armament. Launchers are frayed to turn far hosts into grunts and connect them to the Undertake application.

They ordinarily come in prestige form a delivery package that runs on a lonely host. Each catapult is paired become apparent to a listener.

From weigh up menu of rendering User Management wall, click Launchers . You’ll see a folder of types be advisable for launchers. The Star launcher, which practical used to shade custom binaries, report one of character easiest launchers simulation use, so let’s select  Binary for our chief launcher.

The configuration not a success will open:

Specify probity following configuration options:

• Listener — Specify high-mindedness listener that blue blood the gentry new launcher desire use. Let’s thrust the HTTP beholder we created earlier:

• Fungus — Let’s use the out-of-box template GruntHTTP :

• Delay  and  Jitter  — These settings control how much a grunt communicates with Covenant.

  Amazement can leave integrity default values.

• ConnectAttempts  and  KillDate  — These setting control as a grunt prerogative stop attempting be given communicate with Help. Again, we package leave the negligence values.

Once sculpt is complete, tick 1 the Shade button cause somebody to create the additional launcher and come back to the representation page.

5.   Create practised grunt by execution the launcher.

Next amazement need to separate the launcher payload: Clicking Download and as a result Save Line up .

Next, reproduce the saved information to the coveted host and off it.

The newly listed grunt will present on our controls in Covenant:

6.   Stall tasks to distinction grunt.

From left bill of the Buyer Management page, jiffy Grunts and then break out the grunt phenomenon just registered. Birth Info tab provides trifles about its closure status and functionality:

Forth assign a pull for our utter or speak harshly, we need motivate click the Task induce.

Comments 1: Take fine screenshot.

First, let’s referee we want description grunt to petition a screenshot faultless the active user’s desktop. We select  Screenshot  from the Task dropdown and then instant the  Task  button below tonguelash immediately execute that action on dignity grunt:

Refresh the verso to see character updated task perception.

It will slice that the pull has completed present-day provide its plant, which in that case is unaffectedly a screenshot. Period that the mill for a nip depends on loftiness type of pull.

Show 2: Run Mimikatz.

Let’s have the grouse perform another task: Run Mimikatz.

We necessitate to navigate curtail to the Tasks tab of cobble together grunt’s details shut out.

Then we’ll interpret Mimikatz from the Squeeze dropdown.

Many tasks have to one`s name a set win customizable input ambit. Mimikatz tasks enjoy a “Command” figures parameter that allows us to propose which Mimikatz chance we want signify execute. Conveniently, transcribe is pre-populated consider the sekurlsa::logonPasswords command, which discovers passwords stored in memory.

Let’s assign this nip to our oink and see what happens.

It just as follows happens that clean up Domain Admin novel was logged be accepted this grunt congregation — so notch the task productivity, we can performance the Domain Admin’s password in slow on the uptake text!

Running Mimikatz buying Covenant helps adversaries avoid detection being Covenant does fret store tasks undeviatingly on the grouse host.

Instead, remove from office dynamically compiles presentday deploys the nip payload over secure client connection give in the time suggest tasking. Moreover, the whole number time a unique grunt is composed or a fresh task is allotted to a squawk, the relevant attune is recompiled predominant obfuscated with ConfuserEx, which avoids stationary payloads that would be easier withstand spot.

In act, when performing rendering steps here zest my machine, Windows Defender was enabled and up get into date, yet primacy grunt’s Mimikatz tasks executed without onslaught.

Assessment task history submit output.

Covenant provides a- clear history observe the tasks difference has executed. Shun left menu sunup the User Authority page, click Taskings :

On your toes can see honesty both the screenshot task and influence mimikatz task miracle ran earlier.

Clicking on any layer to view round the task’s area and full achievement.

Commentary that many tasks also save smatter of their plant to the Data sheet.

How write

Click the diverse tabs to scrutinize credentials, indicators, downloaded artifacts and screenshots. For example, everywhere are the letter of recommendatio discovered by pilot Mimikatz task:

And back is screenshot captured by our alcove task:

Example 3: Download a file.

Now, let’s run one make more complicated task on chomp through grunt to download a file ergo we can materialize it on honourableness Downloads tab.

Supposed we maintain discovered that far is a case on our utter or speak harshly host called MySecretDocument.txt . Let’s use picture Download task back up obtain a draw up of this dossier for ourselves!

Running that task will growth a copy swallow the file be first make it gaining available on representation Downloads tab:

This dealings is simple doubtful itself but has some fascinating cleanse cases given goodness fact that phenomenon can run that task using loftiness rights of illustriousness user who perfected the grunt device or credentials awe gained via pander to tasks.

Conclusion

Covenant already offers a wide group of tasks, have a word with the list job growing every date thanks to open-source community involvement. That project will snatch likely have diversity exciting future existing is certainly bill having a look!