Covenant
Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.[1][2]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Covenant can utilize WMI to install new Grunt listeners through XSL files or command one-liners.[1] |
|
| Enterprise | T1573 | .002 | 加密通道: Asymmetric Cryptography |
Covenant can utilize SSL to encrypt command and control traffic.[1] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Covenant can create PowerShell-based launchers for Grunt installation.[1] |
| .003 | 命令与脚本解释器: Windows Command Shell |
Covenant provides access to a Command Shell in Windows environments for follow-on command execution and tasking.[1] |
||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1218 | .004 | 系统二进制代理执行: InstallUtil |
Covenant can create launchers via an InstallUtil XML file to install new Grunt listeners.[1] |
| .005 | 系统二进制代理执行: Mshta |
Covenant can create HTA files to install Grunt listeners.[1] |
||
| .010 | 系统二进制代理执行: Regsvr32 |
Covenant can create SCT files for installation via |
||
| Enterprise | T1082 | 系统信息发现 |
Covenant implants can gather basic information on infected systems.[1] |
|
| Enterprise | T1571 | 非标准端口 |
Covenant listeners and controllers can be configured to use non-standard ports.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0125 | HAFNIUM |
HAFNIUM used Covenant for command and control following compromise of internet-facing servers.[2] |