gitmyhub

Covenant

C# ★ 4.7k updated 2y ago

Covenant is a collaborative .NET C2 framework for red teamers.

A web-based command and control framework for authorized red team security testing, letting multiple operators coordinate through a shared browser dashboard to manage agents on test machines.

C#ASP.NET CoreDockerRoslynsetup: moderatecomplexity 4/5

Covenant is a command and control framework used in authorized security testing, specifically for red team operations. A red team is a group that is hired to simulate a real attacker against an organization's systems, to find weaknesses before actual attackers do. Covenant provides the infrastructure that a red team operator uses to manage compromised machines during such an engagement.

The tool is built on ASP.NET Core, which means it runs on Windows, Linux, and macOS without needing any platform-specific setup. It also supports Docker for running it inside a container. Once running, it exposes a web-based dashboard that multiple team members can log into at the same time, so an entire red team can coordinate their activity from a shared interface.

The agents that run on target machines are called Grunts. When a Grunt checks in, it communicates back to the Covenant server using configurable network profiles that control what that traffic looks like, which matters for testing whether an organization's defenses can detect unusual network patterns. The communication is encrypted using a key exchange approach that provides forward secrecy, meaning that even if a key is later compromised, past sessions remain protected.

One notable technical detail is that Covenant compiles and obfuscates its payloads at the moment they are generated rather than shipping static files. This is done using the Roslyn compiler API, which is the same tooling that the C# language itself uses. The framework also has a Swagger interface for developers who want to extend it via the API.

Covenant is intended for professional use in legitimate penetration testing engagements. The project emphasizes tracking indicators of what actions were taken, which operators can share with the defending team at the end of an assessment.

Where it fits