The description states:  "Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers."

I wanted to like this and perhaps there's much to like but when I'm looking at these types of frameworks, I'm interested in how it can help me.  There's definitely a red team / blue team component to this and maybe that's where this excels but that's of little interest to me.  

This is the first time I've run a dot net application on Linux so that was kind of cool  And in general, it's a cool tool but I don't see how it will aid me.  

Upon finishing the install, we hit the UI with a browser and we're asked to set a username and password:

I can't remember exactly when I had that deja vu feeling but sooner or later, I felt like this framework was similar to Faction.  Faction is another c2 I checked out but it's still in the too early stages although I wanted to like it too.

Anyway, when we get logged in, we see users:

I'm not interested in adding more users, I head over to Listeners:

Admittedly, I got a little confused with Listeners because the instructions indicate that I should (and can) change the URL:

Except you don't change it there, you change it here in the second position, then the first will reflect that change:

When we hit create, we see our Listener setup and waiting:

Now we head over to Launchers and we select a Binary:

I like the idea of a Killdate and I assume that's a nicety when dealing with red team engagements.  Just in case things don't get cleaned up, they are still dead:

I should also point out that your victim needs to have whichever dot net framework installed.  Might want to know that in advance of dropping your implant -- otherwise it requires the download, installation, and relaunching of the implant.

After we generate the implant, we select download:

Just for the sake of testing without interference, I have a Windows 8 install without antivirus.  I figure I need to make sure it's working before I test it with antivirus.  

I download the implant:

I execute it and we get an event in the console:


When we refresh Grunts, we see our connected device:

When we click on the name, we drill down into the info:

When we select Interact, we get to a console window. 

Ah yes, this is where I'm reminded of Faction.  Whoami exists but in order to use other command line commands, we have to append "shell".


That's when I go hunting for help and I find the "shell" command:

Just trying things here and there:



Also, #NoJoy

Something that maybe I don't understand but when we launch the Grunt, the Window stays open.  If you close the window, the Grunt dies.  

Moving along...

We have the option to "hide" the Grunt:

I wonder if we get anything different when going the PowerShell route:

I download it:

I execute it:

We see the Grunt in our console:

Essentially the same as the Binary including the window which stays open.  

At this point, my attention span is waning and I want to see how antivirus reacts to our Grunts:

Nice work everyone!  I should also point out that I've removed the gateway from the machine because I'd like to keep the antivirus mothership from getting a peek at these little guys.

One last test, we fire up the Grunt:

The antivirus is none the wiser and the Grunt appears in our console.

Pretty cool!  I wish it did more that was useful to me.  I should also point out that this UI is designed for a large monitor.  I was originally working in a VM and I had to move out to a larger browser because the scaling is not great at 1440 x 900.