Covenant Donut

by Vince
in Blog
Hits: 1179

I've been using Covenant for over three years now and I still have mixed feelings about it.  That being said, I'm still using it so I probably shouldn't complain about open source products when an alternative pay product, Cobalt Strike, is $6k.  My biggest gripe about Covenant is that it's quirky.  I feel like I'm always working around something.  For example, Covenant has the ability to generate Shellcode directly from launchers but when I try to process inject, it fails against Defender.  But when I convert the binary launcher with Donut, I can defeat Defender.  

Essentially, there are things that should work but don't and I've figured out ways around it to live with the product.

From TheWover github:  "Donut is a position-independent code that enables in-memory execution."  

Grab the Donut binary and let's move into Covenant and build a Binary Launcher.  I should add that when you see my modified version of Covenant, understand that the terms "Grunt" and "Covenant" can get flagged but if you modify the install, it can further assist with avoiding detection.  In my modified version of Covenant, my Grunts are called Moons.  Moving along...



We create the binary and you want to work with it on your machine.  Moving it to the victim machine will likely end up with the binary getting detected / deleted.  

Using Donut, we convert the binary:



For obvious reasons, we want to disable automatic sample submission:



Sanity check, yes Defender is running:



If you're not familiar with ProcessInjection, see my previous post:



Our Grunt (aka Moon) shows up in Covenant and Defender is asleep at the wheel.



This technique will work for any binary implant.  Ok, I haven't tested it with EVERY implant but I imagine the outcome would be the same.  Happy evading!