Covenant v0.5

Covenant Logo

Intro

Covenant v0.5 is being released today and includes a set of new features, a major UI update, and lots of bug fixes.

This will be a short post documenting some of the major feature updates.

Blazor: Front-End C#

The largest update in v0.5 is migrating the interface over to the Blazor framework. Blazor is a framework for writing client-side web interfaces in C#.

Prior to Blazor, Covenant didn’t utilize any real client-side framework like React, Angular, etc. The client-side of the Web UI was written with some one-off JavaScript functions that utilized only JQuery. This made UI components difficult to scale and maintain. Since Covenant is already built on .NET Core, it made a lot of sense to use Microsoft’s new client-side framework, Blazor.

I’m not particularly fond of writing JavaScript anyways, so that fact that client-side code in Blazor is written in C# made the transition even better. Beyond language preference, this allows the client-side of the application to take full advantage of the .NET Core ecosystem and libraries. We also hope that this makes the UI much more approachable to those that might be interested in making UI contributions to the project.

Additionally, Blazor transforms Covenant into a true SPA, or Single Page Application. What exactly does this mean? As a Covenant user, the first time you visit the Covenant site an HTTP request is made to pull down the initial application, and that’s it, no more HTTP requests! The rest of your interaction with the server is accomplished over real-time WebSockets.

The main difference you’ll see as a user, is pages should load a little bit faster than before, and the entire interface should update in real-time as things change on the backend server. For example, no more need to refresh the page to check for a Grunt’s new LastCheckIn time! The interface has been overhauled to take advantage of the real-time features provided by Blazor.

Brutes: The New .NET Core Implant

Covenant has a brand new built-in, cross-platform implant: Brutes! Operators are no longer limited to Grunt implants or to Windows targets.

Brute list

Covenant has slowly been moving towards the goal of being truly implant-agnostic, and the introduction of the Brute implant is a major step towards that goal. The concept of an implant-agnostic C2 framework has been talked about over the last few years, and was really pioneered by the Faction and Apfell frameworks. The idea is that many different implants can communicate over a common protocol dictated by the framework, and easily plug into the framework. Covenant has technically supported the implant-agnostic model for quite awhile.

The introduction of ImplantTemplates in v0.4 allowed operators to easily modify and create new C# implants and was an initial step towards making implant creation more accessible to developers. With the introduction of Brutes, Covenant now has an implant that is written in C#, but not based on the .NET Framework at all. The implant is fully supported and built-in to the platform.

As Covenant continues to make steps towards the implant-agnostic model, I’d encourage operators and developers to try their hand at modifying existing implants for their needs, or creating their own personal implant!

The Brute implant itself is fairly simple, there isn’t a huge library of available tasks quite yet, but some of the most important tasks are available: shell, ps, ls, assembly, and a handful of others. The Brute implant shares a large percentage of it’s codebase with Grunts, with some minor changes to port the code over to .NET Core, but there’s not many libraries to borrow tasks from available in .NET Core like there is for the .NET Framework, such as SharpSploit and GhostPack.

There’s a lot to say about the potential of .NET Core implants, and I plan to release a follow-up post on .NET Core malware in the near future. I’ll leave most of those details for that post. For now, it’s enough to say that Brutes are cross-platform .NET Core implants with a limited set of base functionality.

Shareable Tasks

Tasks can now be easily imported and exported to or from a running Covenant instance as YAML files. This makes it much easier to share your Covenant tasks with others that may be interested in your work.

It also makes it much easier to contribute built-in Tasks to the project. Before this change, built-in Tasks were described programmatically in Covenant’s source code, and required source code changes to add new built-in Tasks. Now, YAML files included under the Data\Tasks directory will automatically be parsed and imported when Covenant first starts up. Additional tasks that you would like to use can be imported within the interface.

Import Tasks

Hopefully, this makes it much easier to share custom Tasks or to maintain your own libraries of custom Tasks.

Other Minor Updates

There are many more updates and fixes in this release than we are able to mention here, but here’s a few other minor updates you’ll find in v0.5:

  • Author Information - Author information is included in GruntTasks, so you’ll get credit for the Tasks you contribute to Covenant.
  • Hide and Unhide Grunts - The ability to hide and unhide Grunts has been reworked, so you can easily hide and unhide old Grunts that are no longer in use from the UI.
  • Manual Data Creation - Credentials and Indicators can be manually added to the schema now, instead of just relying on Covenant’s automatic detection of new data.
  • Updated ReferenceSourceLibraries - ReferenceSourceLibraries such as SharpSploit and GhostPack have been brought up to date with the public versions.

Conclusion

Hopefully this has given you a brief summary of some of the major updates in the new v0.5 Covenant update. This has been the first major Covenant update in nearly 7 months, as the UI conversion over to Blazor took much more work than anticipated. Hopefully it’s been worth the wait!

In the future, we hope that Covenant updates will be much more frequent and incremental, to decrease the waiting time between updates. In the near term future, Covenant has developed quite a backlog of issues and pull requests that need to be addressed, and we likely will be focused on those and any new issues that arise from the new release. Also be on the lookout for an upcoming post on .NET Core malware for additional information related to the Brute implant.