Next-Gen Open Source C2 Frameworks in a Post PSEmpire World: Covenant

Rest in Peace PowerShell Empire

PowerShell Empire (PSEmpire) is a Command and Control (C2) Post Exploitation Framework that has been discussed in a variety of posts on the STEALTHbits Blog.

What is PSEmpire?

PSEmpire is a great tool with a wide variety of uses in the Information Security community including learning, red teaming and even more nefarious uses such as being used by the Ryuk Ransomware.

Sadly, it has been officially announced the PSEmpire is no longer being supported and development has stopped.

The Empire GitHub Project Page notes this and recently one of the PSEmpire developers: Chris Ross @Xorridor has posted an announcement.

Announcement

Since the developers of Empire have moved on, I have started to look at the new wave / next generation of Open Source C2 Frameworks. What better way to start than by trying out some of the ones specifically mentioned by Chris!

In this blog post, we’ll be taking a QUICK peek at Covenant which to me is one of the most exciting C2 Frameworks on the scene as of August 2019. This blog post will not function as a technical document or even a descriptive “how-to guide” but it simply to provide an overview of some of Covenants capabilities.

Regarding “Next-Gen Open Source C2 Frameworks”

“Next-Gen Open Source C2 Frameworks” is quite a mouthful. However, if we look at these newer projects, we do see several common patterns, feature sets, and architecture designs. Apfell and Covenant, for example, are no different, both of these projects have the following in common and I believe this defines them as “Next-Gen Open Source C2 Frameworks”.

• Very easy to set up and use (minutes)
• Scalable Framework
• Cross-Platform Support
• Web-based user-friendly interfaces for operators.
• “Plug and Play architecture” to quickly and easily add new Agents, Data Sources, Integrations.
• Open Source to the community on GitHub.
• Utilize Lightweight Reliable Databases (SQLite/PostgreSQL)
• Multi-User / Profile Support with Authentication
• Built-in UI pages to easily extract data/credentials/loot once obtained
• Vibrant and Open online communities – in these examples a public slack https://bloodhoundgang.herokuapp.com/

Now that we have established what a so-called “Next-Gen Open Source C2 Framework” is, let’s focus on taking a look at Covenant!

Covenant

• Covenant Project Page
• Covenant Documentation
• Announcement Blog Post
• Covenant Community Slack
• Recent Update Blog Post

Ryan Cobb who is a Red Teamer at SpecterOps who decided to build a new C2 Framework based on .NET.

Covenant is described as a: 

.NET command and control framework and web application that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.

I find the single best thing about Covenant is the gorgeous UI that is VERY user-friendly, intuitive. An operator with minimal C2 Framework experience will find it quite easy to get started. The first time I spun up my instance of Covenant I was able to immediately deploy agents and tasks without having to even peek at the wiki. That same week I was even able to utilize Covenant in some attack demos – it’s that slick!

A recent blog post goes into great detail regarding the recently overhauled UI and is worth a read if you are interested in Covenant before diving in head-first.

Covenant Architecture

The architecture of Covenant is actually quite straight forward and highly scalable and very well designed.

• Covenant Server – The Covenant Server runs the command and control server hosted on and infrastructure shared between operators. Covenant is written in C# and the server component targets .NET which gives it great cross-platform support for the server component including easy docker support. The covenant server can also be considered being API Driven – and even includes a Swagger UI to make it exceptionally easy for developers to build integrations with the framework. The Covenant Server also uses a lightweight SQLLite database.
• Grunt – A “Grunt” is the name of Covenant’s implant that is deployed to targets – we can basically think of this as an Agent. Each Grunt communicates with Covenant via a defined “Listener” on the Covenant Server. Tasks run by Grunts and even the Stagers used to standup Grunts are Dynamically compiled to avoid detection.

A Note about Covenant’s Dynamic Compilation Feature

One of my favorite feats of Covenant is it’s “Dynamic Compilation” feature. Covenant makes use of Rosyln this allows all Grunt Stager and task code to by dynamically compiled and obfuscated. This allows us to avoid static payloads allowing us to more easily get our payloads to our intended targets.

Running Covenant

Covenant – especially for Windows operators will find Covenant extremely easy to get up and running.

If you are running a Windows Operating System, essentially the only required prerequisite is the .NET Core SDK – Alternatively, there is also a Docker Container to get you up running if you prefer.

The following steps are literally the only steps for getting Covenant up and running:

git clone --recurse-submodules https://github.com/cobbr/Covenant
cd Covenant/Covenant
dotnet build
dotnet run

This builds and starts the Covenant ASP .NET Core application. You will immediately be able to browse to your localhost machine on port 7443 and you will immediately be shown the amazing Covenant UI.

Now that Covenant is running you can use the UI to set up a listener and then create and download Grunt Stagers Payload. You can execute this payload on remote machines to have them connect to the Covenant server allowing you to execute commands to the clients (Grunts).

Again, if you have used C2 frameworks like PowerShell Empire, this process is going to sound familiar and certainly, the concepts are very similar but let’s step through some of the pages to get a feel how an operator would use Covenant.

Grunt Page

Once we have generated our Grunt Stager and deployed it we can check-in on our Grunt and interact with the grunt directly to execute Tasks.

Now that we have a Grunt deployed, let’s go to the task tab and execute mimikatz on my Grunt.

Once executed Covenant will allow me to access the output of my task right from the comfort of my browser. Executing Mimikatz has simply never been easier.

Tasks Page

The Tasks page has a sortable and searchable control showing you all the currently available tasks to execute on your Grunts. You will find many favorites here such as Mimikatz and Rubeus.

Taskings Page

The Taskings Page shows where you have assigned Tasks to Grunts. In my example you can see I have been testing some of the Mimikatz Commands: 

Data Page

The Data PAge is really great. This page provides a summarized list of the “Data” obtained by your various taskings. Here as a result of my use of Mimikatz Tasks, I have Passwords and NTLM hashes. If I had other taskings the retrieved data I could obtain them from the Downloads Tab. The indicators tab is more or less an audit trail of activity – handy to provide to Blueteam post when a project is complete!

In Closing

Covenant is packed with other pages and features not covered in the article, I would highly recommend bookmarking the Covenant Github Wiki for help getting started. Maintainers and Operators of Covenant are also very active on the Community Slack

I’ve been extremely impressed with Covenant and it is my favorite new C2 Framework, I’m very excited to see where this goes! I would highly recommend this to anyone interesting in utilizing C2 Frameworks.