Skip to content

Hide Navigation Hide TOC

Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf)

Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.(Citation: Github Covenant)(Citation: Microsoft HAFNIUM March 2020)

Cluster A Galaxy A Cluster B Galaxy B Level
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 1
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 2
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2