S1155 Covenant
Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed “Grunts” that communicate back to the controller.12
| Item | Value |
|---|---|
| ID | S1155 |
| Associated Names | |
| Type | TOOL |
| Version | 1.0 |
| Created | 04 September 2024 |
| Last Modified | 06 September 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Covenant can establish command and control via HTTP.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Covenant can create PowerShell-based launchers for Grunt installation.1 |
| enterprise | T1059.003 | Windows Command Shell | Covenant provides access to a Command Shell in Windows environments for follow-on command execution and tasking.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.002 | Asymmetric Cryptography | Covenant can utilize SSL to encrypt command and control traffic.1 |
| enterprise | T1571 | Non-Standard Port | Covenant listeners and controllers can be configured to use non-standard ports.1 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.004 | InstallUtil | Covenant can create launchers via an InstallUtil XML file to install new Grunt listeners.1 |
| enterprise | T1218.005 | Mshta | Covenant can create HTA files to install Grunt listeners.1 |
| enterprise | T1218.010 | Regsvr32 | Covenant can create SCT files for installation via Regsvr32 to deploy new Grunt listeners.1 |
| enterprise | T1082 | System Information Discovery | Covenant implants can gather basic information on infected systems.1 |
| enterprise | T1047 | Windows Management Instrumentation | Covenant can utilize WMI to install new Grunt listeners through XSL files or command one-liners.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0125 | HAFNIUM | HAFNIUM used Covenant for command and control following compromise of internet-facing servers.23 |
References
-
cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024. ↩↩↩↩↩↩↩↩↩↩↩
-
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. ↩↩
-
Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025. ↩