Covenant is a .NET c2 (Command & Control) Framework that aims to highlight the attack surface of .NET and aid red teamers! Today I’m going to jump into slip space with a Halo themed blog on my first use of Covenant in the lab. Let’s hope I don’t need Cortana to get this deployed (yes I’m a massive Halo nerd!)


First thing let’s head over to GitHub and check out the install notes:

The architecture seems to look like this:


First thing first I’m going to need docker installed. I’m going to install this on a VM I have that I’m using to test the Metasploit 5 framework (it’s quite clean):

export DEBIAN_FRONTEND=”noninteractive”

sudo apt-get update

sudo apt-get remove docker docker-engine* lxc-docker*

sudo apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common

curl -fsSL | sudo apt-key add –

echo “deb [arch=amd64] stretch stable” >> /etc/apt/sources.list

sudo apt-get update

sudo apt-get install docker-ce

#set docker to run as non SU – meh who cares KALI everything is SU

############ I DID NOT RUN THE BELOW IN THE LAB#############

sudo groupadd docker

sudo usermod -aG docker $USER

#set docker to run on startup (maybe no?)

sudo systemctl enable docker

service docker start

Sweet! Docker installed and no errors on service start! Now let’s get building our Covenant:

Git clone

Cd /Covenant, cd /Covenant

docker build -t covenant .

Downloading/Building all the things

(I’m including some of the output because if you are like me, you want to know all the things are working as expected)

Now we need to run Covenant (as per the docs):

docker run -it -p 7443:7443 -p 80:80 -p 443:443 –name covenant covenant –username AdminUser –computername

Ok, now we set a password (Super secret lab password: Pa55w0rd1)

(if we need to stop this container we can run: docker stop covenant)

Next stop is to deploy Elite

git clone

cd /Elite/Elite

docker build -t elite .

docker run -it –rm –name elite elite –username AdminUser –computername

Type your admin password

Press ENTER for CertHASH

We now have a TTY prompt!

Type help

Start a listener:



(we can rename the listener as the random hex doesn’t really roll off the tongue – to do this use: Rename [LISTENER_NAME] [newname])

Now we set the connect address

Set ConnectAddress





Type Powershell

Set listenerName [LISTENER_NAME]

You can rename the listener to something more human in the listener module previously used

We now run this on the target:

And Yasssssssssssssssss! We have a connection

There are far more options we can use for a staged shell or c# stager etc.

Now, we need to use the GRUNTS module:

Type Interact [GRUNT_NAME]

When we connect the Show command is run automatically

Now we can list modules by typing help:

I’m going to now execute a high integrity shell from the client:

We are going to run the GetSystem command:

And now we are going to dump the hashes:

And off we go to hashcat!

And here we have our hashes cracked!


In no time at all we’ve managed to deploy Covenant, Elite and get some grunts mobilised! Nothing we did here (other than hashcat) was different to the install guide but its show’s the COBBR can not only knock together decent code but also can spin a line or two and an eternal n00b like me can follow it! There’s clearly a ton of functionality in here. I’m going to take this for a spin in the Hack the Box offshore labs and see what pwnage we can achieve!

Leave a Reply