Skip to content

Hide Navigation Hide TOC

Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf)

Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.(Citation: Github Covenant)(Citation: Microsoft HAFNIUM March 2020)

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 1
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern 1
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 2
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2