Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Covenant C2 - Detect" module is designed to detect the presence of the Covenant command and control (C2) framework. Covenant is a .NET-based framework that serves as a collaborative platform for red teamers, making offensive .NET tradecraft easier and highlighting the attack surface of .NET. This module focuses on identifying instances of Covenant C2, providing valuable insights into potential security risks.
Severity: Informative
Author: pussycat0x
The impact of detecting Covenant C2 is primarily related to understanding the potential attack surface of .NET-based systems. By identifying instances of Covenant C2, security professionals can gain insights into the presence of a powerful command and control framework that could be used for malicious purposes. This information can help organizations assess their security posture and take appropriate measures to mitigate any potential risks.
The "Covenant C2 - Detect" module utilizes HTTP request templates and matching conditions to identify the presence of Covenant C2. It sends a GET request to the "/covenantuser/login" path and applies the following matching conditions:
- The response body must contain the HTML title tag "<title>Covenant - Login</title>
".
- The response status code must be 200 (OK).
If both conditions are met, the module considers the presence of Covenant C2 as detected.
Example HTTP request:
GET /covenantuser/login
This module provides a valuable detection capability for organizations to identify instances of Covenant C2 and assess their potential security risks.
Reference: https://www.socinvestigation.com/shoda