S1155: Covenant
Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.[1][2]
Analyst context for executives and security teams
Covenant matters because it is a legitimate .NET command-and-control framework that can operate across Windows, Linux, and macOS, but ATT&CK notes it has also been used by threat actors including HAFNIUM. For leaders, the decision point is not whether the tool name appears in an alert; it is whether the organization can recognize post-compromise control activity that blends into normal administration, web traffic, and signed Windows utilities.
Executive priority
Prioritize Covenant as a readiness and control-validation issue for incident response, managed detection, and audit evidence. The ATT&CK relationships connect it to execution through PowerShell, Windows Command Shell, WMI, and trusted Windows utilities, plus command-and-control over web protocols, non-standard ports, and asymmetric cryptography. Executives should ask whether SOC coverage spans endpoint execution and network egress together, especially where administrative tools are heavily used and false positives can hide real compromise.
Technical view
ATT&CK provides no official detection text for S1155, so defenders should validate coverage through the related techniques. On Windows, review visibility for WMI execution, PowerShell, cmd.exe, InstallUtil, mshta.exe, and regsvr32.exe activity, especially when followed by unusual outbound web-protocol traffic or protocol/port mismatches. Across supported platforms, validate egress monitoring for web-based C2 patterns, non-standard port use, and encrypted sessions that cannot be explained by known business applications. IR playbooks should correlate process lineage, script execution, host discovery activity, and outbound connections rather than depending on a single Covenant-specific indicator.
Likely telemetry
- Endpoint process creation and parent-child process lineage on Windows, Linux, and macOS
- PowerShell command/script logging where enabled
- WMI activity and remote/local execution records on Windows
- Windows command shell execution records
- Execution of InstallUtil.exe, mshta.exe, and regsvr32.exe with command-line context
Detection direction
- Build detections around behavior chains: administrative execution or signed utility proxy execution followed by outbound web communication.
- Tune PowerShell, WMI, cmd.exe, InstallUtil, mshta, and regsvr32 monitoring against known administrative baselines to reduce false positives without suppressing rare or high-risk usage.
- Validate egress analytics for web protocols on unexpected ports and for encrypted traffic patterns that do not match approved applications.
- Use relationship-driven context: Covenant is linked to execution, discovery, stealth/proxy execution, and command-and-control techniques, so isolated alerts should be correlated into a session or host timeline.
- Do not rely on tool-name signatures alone; legitimate security testing use and modified deployments can make name-based detection incomplete.
Mitigation priorities
- Establish and document approved uses of command-and-control or penetration-testing frameworks so legitimate testing can be distinguished from unauthorized activity.
- Harden and monitor administrative execution paths, especially PowerShell, WMI, Windows Command Shell, and signed Windows utilities commonly abused for proxy execution.
- Restrict unnecessary outbound traffic and enforce expected protocol/port pairings where operationally feasible.
- Ensure endpoint and network telemetry retention is sufficient for incident reconstruction across execution, discovery, and command-and-control phases.
- Include Covenant-like behaviors in purple-team or detection validation exercises, with authorization and scope controls.
Analyst notes and limits
This take is based only on the supplied ATT&CK S1155 fields, external references, and relationships. The object identifies Covenant as a multi-platform .NET C2 framework with a listener and deployed Grunts, and notes use by HAFNIUM. The relationship set is the main source for defensive direction because the object has no ATT&CK detection text.
ATT&CK does not provide official detection guidance, aliases, labels, or object-level tactics for Covenant in the supplied data. Local environment baselines, approved red-team tooling, egress architecture, and endpoint logging configuration are required to judge actual exposure or coverage.
Covenant
Covenant is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as HAFNIUM during operations. Covenant functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.001 | PowerShell Sub-technique | Covenant can create PowerShell-based launchers for Grunt installation.CitationGithub Covenant |
| Enterprise | T1571 | Non-Standard Port | Covenant listeners and controllers can be configured to use non-standard ports.CitationGithub Covenant |
| Enterprise | T1047 | Windows Management Instrumentation | Covenant can utilize WMI to install new Grunt listeners through XSL files or command one-liners.CitationGithub Covenant |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Covenant can create SCT files for installation via `Regsvr32` to deploy new Grunt listeners.CitationGithub Covenant |
| Enterprise | T1218.004 | InstallUtil Sub-technique | Covenant can create launchers via an InstallUtil XML file to install new Grunt listeners.CitationGithub Covenant |
| Enterprise | T1082 | System Information Discovery | Covenant implants can gather basic information on infected systems.CitationGithub Covenant |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Covenant provides access to a Command Shell in Windows environments for follow-on command execution and tasking.CitationGithub Covenant |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Covenant can establish command and control via HTTP.CitationGithub Covenant |
| Enterprise | T1218.005 | Mshta Sub-technique | Covenant can create HTA files to install Grunt listeners.CitationGithub Covenant |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Covenant can utilize SSL to encrypt command and control traffic.CitationGithub Covenant |
Groups, software, and campaigns
G0125: HAFNIUM
HAFNIUM is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. HAFNIUM primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has targeted remote management tools and cloud software for intial access and has demonstrated an ability to quickly operationalize exploits for identified vulnerabilities in edge devices.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4b19edb74954… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Github Covenant
cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
Open source URL -
[2]
Microsoft HAFNIUM March 2020
MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
Open source URL -
[3]
mitre-attack S1155Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.