Skip to content

Hide Navigation Hide TOC

Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf)

Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.(Citation: Github Covenant)(Citation: Microsoft HAFNIUM March 2020)

Cluster A Galaxy A Cluster B Galaxy B Level
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool 1
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 1
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 1
Covenant - S1155 (05fb53c8-e2ac-4e17-a0c9-a0825e1198bf) mitre-tool Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 1
InstallUtil - T1218.004 (2cd950a6-16c4-404a-aa01-044322395107) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 2