Skip to content

Hide Navigation Hide TOC

Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf)

Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.(Citation: Github Covenant)(Citation: Microsoft HAFNIUM March 2020)

Cluster A Galaxy A Cluster B Galaxy B Level
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 1
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 1
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2