Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Covenant C2 - Detect

By kannthu

Informative
Vidoc logoVidoc Module
#c2#ir#osint#covenant
Description

What is "Covenant C2 - Detect"?

The "Covenant C2 - Detect" module is designed to detect the presence of the Covenant command and control (C2) framework. Covenant is a .NET-based framework that serves as a collaborative platform for red teamers, making offensive .NET tradecraft easier and highlighting the attack surface of .NET. This module focuses on identifying instances of Covenant C2, providing valuable insights into potential security risks.

Severity: Informative

Author: pussycat0x

Impact

The impact of detecting Covenant C2 is primarily related to understanding the potential attack surface of .NET-based systems. By identifying instances of Covenant C2, security professionals can gain insights into the presence of a powerful command and control framework that could be used for malicious purposes. This information can help organizations assess their security posture and take appropriate measures to mitigate any potential risks.

How does the module work?

The "Covenant C2 - Detect" module utilizes HTTP request templates and matching conditions to identify the presence of Covenant C2. It sends a GET request to the "/covenantuser/login" path and applies the following matching conditions:

- The response body must contain the HTML title tag "<title>Covenant - Login</title>". - The response status code must be 200 (OK).

If both conditions are met, the module considers the presence of Covenant C2 as detected.

Example HTTP request:

GET /covenantuser/login

This module provides a valuable detection capability for organizations to identify instances of Covenant C2 and assess their potential security risks.

Reference: https://www.socinvestigation.com/shoda

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/covenantuser/login
Matching conditions
word: <title>Covenant - Login</title>and
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability