PowerShell Empire (PSEmpire) is a Command and Control (C2) Post Exploitation Framework that has been discussed in a variety of posts on the STEALTHbits Blog.
PSEmpire is a great tool with a wide variety of uses in the Information Security community including learning, red teaming and even more nefarious uses such as being used by the Ryuk Ransomware.
Sadly, it has been officially announced the PSEmpire is no longer being supported and development has stopped.
The Empire GitHub Project Page notes this and recently one of the PSEmpire developers: Chris Ross @Xorridor has posted an announcement.
Since the developers of Empire have moved on, I have started to look at the new wave / next generation of Open Source C2 Frameworks. What better way to start than by trying out some of the ones specifically mentioned by Chris!
In this blog post, we’ll be taking a QUICK peek at Covenant which to me is one of the most exciting C2 Frameworks on the scene as of August 2019. This blog post will not function as a technical document or even a descriptive “how-to guide” but it simply to provide an overview of some of Covenants capabilities.
“Next-Gen Open Source C2 Frameworks” is quite a mouthful. However, if we look at these newer projects, we do see several common patterns, feature sets, and architecture designs. Apfell and Covenant, for example, are no different, both of these projects have the following in common and I believe this defines them as “Next-Gen Open Source C2 Frameworks”.
Now that we have established what a so-called “Next-Gen Open Source C2 Framework” is, let’s focus on taking a look at Covenant!
Ryan Cobb who is a Red Teamer at SpecterOps who decided to build a new C2 Framework based on .NET.
Covenant is described as a:
.NET command and control framework and web application that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
I find the single best thing about Covenant is the gorgeous UI that is VERY user-friendly, intuitive. An operator with minimal C2 Framework experience will find it quite easy to get started. The first time I spun up my instance of Covenant I was able to immediately deploy agents and tasks without having to even peek at the wiki. That same week I was even able to utilize Covenant in some attack demos – it’s that slick!
A recent blog post goes into great detail regarding the recently overhauled UI and is worth a read if you are interested in Covenant before diving in head-first.
The architecture of Covenant is actually quite straight forward and highly scalable and very well designed.
One of my favorite feats of Covenant is it’s “Dynamic Compilation” feature. Covenant makes use of Rosyln this allows all Grunt Stager and task code to by dynamically compiled and obfuscated. This allows us to avoid static payloads allowing us to more easily get our payloads to our intended targets.
Covenant – especially for Windows operators will find Covenant extremely easy to get up and running.
If you are running a Windows Operating System, essentially the only required prerequisite is the .NET Core SDK – Alternatively, there is also a Docker Container to get you up running if you prefer.
The following steps are literally the only steps for getting Covenant up and running:
git clone --recurse-submodules https://github.com/cobbr/Covenant
cd Covenant/Covenant
dotnet build
dotnet run
This builds and starts the Covenant ASP .NET Core application. You will immediately be able to browse to your localhost machine on port 7443 and you will immediately be shown the amazing Covenant UI.
Now that Covenant is running you can use the UI to set up a listener and then create and download Grunt Stagers Payload. You can execute this payload on remote machines to have them connect to the Covenant server allowing you to execute commands to the clients (Grunts).
Again, if you have used C2 frameworks like PowerShell Empire, this process is going to sound familiar and certainly, the concepts are very similar but let’s step through some of the pages to get a feel how an operator would use Covenant.
Once we have generated our Grunt Stager and deployed it we can check-in on our Grunt and interact with the grunt directly to execute Tasks.
Now that we have a Grunt deployed, let’s go to the task tab and execute mimikatz on my Grunt.
Once executed Covenant will allow me to access the output of my task right from the comfort of my browser. Executing Mimikatz has simply never been easier.
The Tasks page has a sortable and searchable control showing you all the currently available tasks to execute on your Grunts. You will find many favorites here such as Mimikatz and Rubeus.
The Taskings Page shows where you have assigned Tasks to Grunts. In my example you can see I have been testing some of the Mimikatz Commands:
The Data PAge is really great. This page provides a summarized list of the “Data” obtained by your various taskings. Here as a result of my use of Mimikatz Tasks, I have Passwords and NTLM hashes. If I had other taskings the retrieved data I could obtain them from the Downloads Tab. The indicators tab is more or less an audit trail of activity – handy to provide to Blueteam post when a project is complete!
Covenant is packed with other pages and features not covered in the article, I would highly recommend bookmarking the Covenant Github Wiki for help getting started. Maintainers and Operators of Covenant are also very active on the Community Slack
I’ve been extremely impressed with Covenant and it is my favorite new C2 Framework, I’m very excited to see where this goes! I would highly recommend this to anyone interesting in utilizing C2 Frameworks.
Lee is a Technical Product Manager at Stealthbits – Now part of Netwrix. When Lee is not building Cybersecurity Software in his day-job, He is active in managing and presenting at user groups, meetups, and conferences around the world. Lee is focused on Automation, Security, Monitoring, and IoT.
Learn why Active Directory security should be a priority for your organization and ways to mitigate against a data breach with this free white paper!
Read more© 2022 Stealthbits Technologies, Inc.
The “QUICK peek at Covenant” link doesn’t quite have the right target… xD
Thanks! Link has been fixed.