Covenant
Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Covenant can create PowerShell-based launchers for Grunt installation.[1] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Covenant provides access to a Command Shell in Windows environments for follow-on command execution and tasking.[1] |
||
| Enterprise | T1573 | .002 | Encrypted Channel: Asymmetric Cryptography |
Covenant can utilize SSL to encrypt command and control traffic.[1] |
| Enterprise | T1571 | Non-Standard Port |
Covenant listeners and controllers can be configured to use non-standard ports.[1] |
|
| Enterprise | T1218 | .004 | System Binary Proxy Execution: InstallUtil |
Covenant can create launchers via an InstallUtil XML file to install new Grunt listeners.[1] |
| .005 | System Binary Proxy Execution: Mshta |
Covenant can create HTA files to install Grunt listeners.[1] |
||
| .010 | System Binary Proxy Execution: Regsvr32 |
Covenant can create SCT files for installation via |
||
| Enterprise | T1082 | System Information Discovery |
Covenant implants can gather basic information on infected systems.[1] |
|
| Enterprise | T1047 | Windows Management Instrumentation |
Covenant can utilize WMI to install new Grunt listeners through XSL files or command one-liners.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0125 | HAFNIUM |
HAFNIUM used Covenant for command and control following compromise of internet-facing servers.[2] |