CTF

Covenant is a c2 built on .net core. It can run on Linux or Windows, so I thought I would do a quick install demo in the lab.

Resources

https://github.com/cobbr/Covenant/wiki/Installation-And-Startup

Prerequisites

Installation

mkdir c:\c2

Cd c:\c2

git clone –recurse-submodules https://github.com/cobbr/Covenant

cd

cd Covenant\Covenant

REM set the dotnet path

set PATH=%PATH%”;c:\Program Files\dotnet

And finally, it has built and is running:

Open a web broswer and navigate to: https://127.0.0.1:7443/

Now we can create a user account:

We create a new user and now we are running:

Notes

You need to set Defender Exclusions:

Creating a listener

Launching a grunt

We need to create a Launcher – by default this is set to DotNet3.5 we will change this to DotNet4. We will build then download the grunt. Then we simply execute it. This will cause it to connect back:

Now we can click on the POWERSHELL symbol: >_ to interact with the grunt:

Useful Commands

Command

Notes

WhoAmI

Show the running context

seatbelt -group=all

Audit for Privesc

Seatbelt AMSIProviders

Check for AMSI Providers (e.g. Security products such as Defender)

SharpUp audit

Audit for Privesc

BypassAmsi

Patch AMSI

ScreenShot

Take a screenshot

Keylogger 60

Keylogs for X seconds (60 in this example)

Upload/Download

Transfer Files

GetDomainUser

Gets a list of domain users

GetDomainGroup

Get a list of domain groups

GetDomainComputer

List all domain computer objects

Summary

In this post we’ve deployed Covenant with a basic setup, had a quick look around and run a few commands. You can see this isn’t the end of the setup nor the usage of the C2 but it’s a quick intro of how to get this up and running on a Windows machine.

Leave a Reply