Covenant C2 Framework

In the world of offensive security and red teaming, the choice of a Command and Control (C2) framework can make or break a penetration testing engagement. Among the growing landscape of C2 platforms, Covenant has emerged as one of the most versatile, developer-friendly, and feature-rich frameworks available to security professionals. Built on .NET Core and designed with collaboration in mind, Covenant offers red teamers a powerful toolkit for simulating real-world adversary behavior.

This guide breaks down what Covenant is, how it works, its core commands, and why understanding it matters for your organization's security posture. If you are looking for expert-led offensive security assessments using enterprise-grade tooling, Redfox Cybersecurity's penetration testing services deliver exactly that.

What Is the Covenant C2 Framework?

Covenant is an open-source, collaborative Command and Control framework developed by Ryan Cobb. It is written in C# and runs on .NET Core, making it cross-platform and adaptable to a wide range of red team environments. Unlike older frameworks that rely on scripting languages or require heavy infrastructure, Covenant leverages .NET's robust ecosystem to generate highly customizable implants called Grunts.

The framework operates through a web-based graphical interface, making it accessible even to operators who prefer visual dashboards over raw terminal output. At the same time, it provides the depth and granularity that experienced red teamers demand.

Why Red Teams Choose Covenant

Several factors set Covenant apart from competing C2 frameworks:

Collaborative Operations: Multiple operators can connect to a single Covenant instance simultaneously. This is critical for larger red team engagements where tasks are divided among team members.

Grunt Implants: Grunts are Covenant's equivalent of agents or beacons. They are .NET-based, in-memory implants that communicate back to the Covenant listener over HTTP, HTTPS, or SMB. Because they run in memory, they are significantly harder to detect using traditional file-based antivirus solutions.

Customizable Listeners: Covenant supports multiple listener profiles, allowing operators to blend C2 traffic into legitimate-looking web traffic using malleable profiles similar to those seen in other advanced frameworks.

Built-in Task Library: Covenant ships with an extensive library of pre-built tasks covering everything from credential dumping to lateral movement, all accessible through a clean interface.

Elite Operators: Covenant includes an "Elite" command-line interface for operators who prefer working in the terminal rather than the browser dashboard.

Organizations that understand how tools like Covenant work are far better positioned to defend against them. Redfox Cybersecurity uses industry-standard offensive tooling to help clients identify gaps before real attackers do.

Setting Up Covenant: The Basics

Before walking through commands, it is worth understanding the installation and operational flow. Covenant is deployed using Docker or by cloning the repository and running it with the .NET SDK.

Installation Overview

git clone --recurse-submodules https://github.com/cobbr/Covenant
cd Covenant/Covenant
dotnet run


Once running, operators access the web interface on port 7443 by default. First-time setup requires creating an administrative account. From there, the operator configures listeners, generates Grunt implants, and begins managing active sessions.

For Docker-based deployments:

docker build -t covenant .
docker run -it -p 7443:7443 --name covenant covenant --username AdminUser --computername 0.0.0.0


This flexibility in deployment makes Covenant suitable for both local lab environments and cloud-hosted red team infrastructure.

Core Concepts: Listeners, Grunts, and Tasks

Understanding three core components is essential before diving into commands.

Listeners

A Listener is the server-side component that receives callbacks from deployed Grunts. Covenant supports HTTP, HTTPS, and SMB listeners. Operators configure the Listener with a bind address, port, connection addresses, and profile settings that dictate how traffic appears on the wire.

Grunts

A Grunt is the implant deployed on the target system. When a Grunt executes, it calls back to the configured Listener and waits for tasking. Grunts can be delivered in multiple formats including executables, PowerShell scripts, binary shellcode, and MSBuild XML files, giving operators flexibility in how they stage initial access.

Tasks

Tasks are individual commands sent to active Grunts. Covenant's task library covers the full post-exploitation kill chain.

Essential Covenant Commands for Post-Exploitation

This section covers the commands and tasks that red team operators use most frequently during authorized engagements. Understanding these commands is also invaluable for blue teams and defenders who want to know what to look for.

Situational Awareness Commands

Once a Grunt is active, the first priority is understanding the environment.

WhoAmI identifies the current user context:

Task: WhoAmI


GetDomainInfo pulls high-level Active Directory domain information:

Task: GetDomainInfo


HostInfo retrieves hostname, OS version, architecture, and network adapter details:

Task: HostInfo


ProcessList enumerates all running processes on the target, critical for identifying security products and understanding the process landscape:

Task: ProcessList


These initial tasks help operators understand their foothold and plan the next phase of the engagement.

Credential Access

Credential harvesting is a staple of post-exploitation. Covenant integrates with SharpSploit, a .NET post-exploitation library, to power many of its credential tasks.

Mimikatz is the most well-known credential dumping tool. Covenant wraps it for in-memory execution:

Task: Mimikatz
Command: sekurlsa::logonpasswords


SamDump extracts credentials from the SAM database on local Windows systems:

Task: SamDump


DCSync simulates Domain Controller replication to pull NTLM hashes without touching LSASS directly, a stealthier approach in modern engagements:

Task: DCSync
Domain: targetdomain.local
Username: Administrator


Kerberoasting requests service tickets for accounts with SPNs registered, enabling offline cracking:

Task: Kerberoast


This returns a list of crackable Kerberos hashes that can be fed into tools like Hashcat for offline password recovery.

Understanding how these attacks work is exactly why organizations engage Redfox Cybersecurity's red team services to test their defenses before malicious actors exploit them.

Lateral Movement

Once credentials are obtained, operators move laterally through the network.

PowerShellRemoting uses WinRM to execute commands or deploy additional Grunts on remote systems:

Task: PowerShellRemoting
ComputerName: targethost
Command: whoami


WMICommand leverages Windows Management Instrumentation for stealthy remote execution:

Task: WMICommand
ComputerName: targethost
Command: net user


DCOMCommand uses DCOM objects for lateral movement, a technique that bypasses many traditional detection methods:

Task: DCOMCommand
ComputerName: targethost
Command: calc.exe


CreateRemoteService creates a Windows service on a remote machine for persistence and execution:

Task: CreateRemoteService
ServiceName: UpdateService
ServicePath: \\targethost\C$\Windows\Temp\payload.exe
ComputerName: targethost


Persistence Mechanisms

Maintaining access across reboots and user logoffs is a critical phase in long-running red team operations.

ScheduledTask creates a Windows Scheduled Task to re-execute the Grunt payload at defined intervals:

Task: ScheduledTask
TaskName: WindowsUpdate
Executable: C:\Windows\Temp\grunt.exe
Trigger: Logon


RegistryAutoRun sets a registry key to launch the implant at user login:

Task: RegistryAutoRun
KeyName: SecurityAgent
Value: C:\Windows\Temp\grunt.exe


WMISubscription uses WMI event subscriptions for fileless persistence, one of the most difficult techniques to detect:

Task: WMISubscription
Name: UpdateChecker
Command: powershell.exe -enc [base64_payload]


These persistence techniques mirror the tactics used by sophisticated threat actors including APT groups. If your organization wants to know whether these methods would succeed against your defenses, Redfox Cybersecurity can simulate them in a controlled, authorized engagement.

Privilege Escalation

GetSystem attempts multiple techniques to escalate from a standard user to SYSTEM-level privileges:

Task: GetSystem


BypassUAC attempts to bypass User Account Control to gain elevated privileges without triggering a UAC prompt:

Task: BypassUAC
Command: cmd.exe /c whoami


TokenImpersonation steals or impersonates tokens from privileged processes:

Task: ImpersonateProcess
ProcessId: 1234


Network Enumeration and Reconnaissance

PortScan performs internal network scanning to map reachable hosts and services:

Task: PortScan
ComputerNames: 192.168.1.0/24
Ports: 22,80,443,445,3389
Ping: True


GetNetLocalGroup and GetNetLocalGroupMember enumerate local groups and their members on target hosts:

Task: GetNetLocalGroupMember
ComputerName: targethost
LocalGroup: Administrators


GetDomainUser queries Active Directory for user accounts, filtering by properties like AdminCount or enabled status:

Task: GetDomainUser
Identity: *


Covenant and OPSEC Considerations

One area where Covenant shines for professional red teamers is its attention to Operational Security (OPSEC). Every C2 framework leaves artifacts, and skilled operators configure Covenant carefully to minimize detection risk.

Sleep and Jitter

Grunts can be configured with sleep intervals and jitter percentages to make callback timing irregular and harder to identify through network analysis:

Task: SetSleep
SleepTime: 60
JitterPercent: 30


This makes the Grunt call back every 42 to 78 seconds rather than on a predictable 60-second schedule.

Malleable Profiles

Covenant's HTTP listener profiles allow operators to customize request headers, URIs, and response bodies to make C2 traffic resemble legitimate application traffic such as CDN requests or software update checks.

In-Memory Execution

All Grunt tasks that execute .NET assemblies do so in memory using techniques like Assembly.Load(), avoiding writing malicious files to disk and bypassing many endpoint detection tools.

Covenant in the Context of the MITRE ATT&CK Framework

Covenant's task library maps closely to MITRE ATT&CK techniques, making it a natural tool for threat-informed red team exercises. Teams can use Covenant to simulate specific adversary behaviors documented in ATT&CK, then measure whether existing controls detect and respond to those techniques.

Common ATT&CK coverage includes:

T1003 (OS Credential Dumping) via Mimikatz and SamDump tasks, T1021 (Remote Services) via PowerShellRemoting and WMI tasks, T1053 (Scheduled Task/Job) for persistence, T1055 (Process Injection) for stealthy execution, and T1087 (Account Discovery) via domain enumeration tasks.

This structured approach to adversary simulation is what separates a mature red team program from an ad hoc vulnerability scan. Redfox Cybersecurity designs engagements around real-world threat scenarios relevant to your industry.

Blue Team Perspective: Detecting Covenant Activity

Understanding offensive tools is only valuable if it informs defensive improvements. Security teams should monitor for the following indicators when assessing Covenant exposure:

Network-Level Detection: Unusual HTTPS traffic to non-categorized external hosts with regular beaconing intervals. Look for consistent User-Agent strings or URI patterns that match Covenant's default profiles.

Host-Level Detection: Suspicious .NET assembly loads in unusual processes, particularly in processes that do not typically load CLR. Tools like Sysmon with appropriate rules can capture CreateRemoteThread and process injection events.

Active Directory Anomalies: DCSync requests from non-Domain Controller machines, unusual Kerberos service ticket requests targeting high-value accounts, and LDAP queries with broad filters querying all domain users are strong indicators.

Event Log Analysis: Windows Event ID 4624 (logon events), 4688 (process creation with full command lines), and 7045 (new service installed) are key sources for lateral movement detection.

Wrapping Up

The Covenant C2 framework represents the state of the art in collaborative, .NET-based red team tooling. Its combination of a polished web interface, powerful implant capabilities, and deep integration with the .NET ecosystem makes it a top choice for professional penetration testers and red team operators worldwide.

For organizations, the key takeaway is this: the tools adversaries use are sophisticated, well-documented, and increasingly accessible. Waiting for an attacker to demonstrate what Covenant can do inside your network is not a security strategy.

Proactive testing through authorized red team engagements gives your team the data it needs to prioritize defenses, validate controls, and remediate gaps before they become breaches. Redfox Cybersecurity offers comprehensive penetration testing and red team services tailored to organizations of all sizes and industries. Whether you need a targeted web application assessment, a full-scope internal network test, or an advanced adversary simulation exercise, the team at Redfox Cybersecurity brings the expertise and methodology to deliver results that matter.

Ready to find out how your defenses hold up against real-world attack techniques? Explore Redfox Cybersecurity's penetration testing services and take the first step toward a stronger security posture today.