Covenant

Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.[1][2]

ID: S1155
Type: TOOL
Platforms: Linux, macOS, Windows
Contributors: Subhash Thapa
Version: 1.0
Created: 04 September 2024
Last Modified: 06 September 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Covenant can establish command and control via HTTP.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Covenant can create PowerShell-based launchers for Grunt installation.[1]

.003 Command and Scripting Interpreter: Windows Command Shell

Covenant provides access to a Command Shell in Windows environments for follow-on command execution and tasking.[1]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Covenant can utilize SSL to encrypt command and control traffic.[1]

Enterprise T1571 Non-Standard Port

Covenant listeners and controllers can be configured to use non-standard ports.[1]

Enterprise T1218 .004 System Binary Proxy Execution: InstallUtil

Covenant can create launchers via an InstallUtil XML file to install new Grunt listeners.[1]

.005 System Binary Proxy Execution: Mshta

Covenant can create HTA files to install Grunt listeners.[1]

.010 System Binary Proxy Execution: Regsvr32

Covenant can create SCT files for installation via Regsvr32 to deploy new Grunt listeners.[1]

Enterprise T1082 System Information Discovery

Covenant implants can gather basic information on infected systems.[1]

Enterprise T1047 Windows Management Instrumentation

Covenant can utilize WMI to install new Grunt listeners through XSL files or command one-liners.[1]

Groups That Use This Software

ID Name References
G0125 HAFNIUM

HAFNIUM used Covenant for command and control following compromise of internet-facing servers.[2]

References