explaingit

cobbr/covenant

4,685C#Audience · ops devopsComplexity · 4/5Setup · moderate

TLDR

A web-based command and control framework for authorized red team security testing, letting multiple operators coordinate through a shared browser dashboard to manage agents on test machines.

Mindmap

mindmap
  root((covenant))
    What it does
      C2 framework
      Red team ops
      Agent management
    Tech used
      ASP.NET Core
      Roslyn compiler
      Docker support
    Features
      Multi-operator dashboard
      Network profiles
      Forward secrecy
    Use cases
      Pen testing
      Red team exercises
      Defense validation
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Run authorized red team engagements where multiple operators coordinate through a shared web dashboard simultaneously.

USE CASE 2

Generate and deploy agents (Grunts) to test machines during a penetration testing engagement.

USE CASE 3

Test whether an organization's network defenses can detect unusual traffic by using configurable network communication profiles.

USE CASE 4

Extend the framework via its Swagger API to add custom capabilities for a specific engagement.

Tech stack

C#ASP.NET CoreDockerRoslyn

Getting it running

Difficulty · moderate Time to first run · 1h+

Intended for authorized penetration testing only, requires ASP.NET Core or Docker and security domain knowledge to use effectively.

In plain English

Covenant is a command and control framework used in authorized security testing, specifically for red team operations. A red team is a group that is hired to simulate a real attacker against an organization's systems, to find weaknesses before actual attackers do. Covenant provides the infrastructure that a red team operator uses to manage compromised machines during such an engagement. The tool is built on ASP.NET Core, which means it runs on Windows, Linux, and macOS without needing any platform-specific setup. It also supports Docker for running it inside a container. Once running, it exposes a web-based dashboard that multiple team members can log into at the same time, so an entire red team can coordinate their activity from a shared interface. The agents that run on target machines are called Grunts. When a Grunt checks in, it communicates back to the Covenant server using configurable network profiles that control what that traffic looks like, which matters for testing whether an organization's defenses can detect unusual network patterns. The communication is encrypted using a key exchange approach that provides forward secrecy, meaning that even if a key is later compromised, past sessions remain protected. One notable technical detail is that Covenant compiles and obfuscates its payloads at the moment they are generated rather than shipping static files. This is done using the Roslyn compiler API, which is the same tooling that the C# language itself uses. The framework also has a Swagger interface for developers who want to extend it via the API. Covenant is intended for professional use in legitimate penetration testing engagements. The project emphasizes tracking indicators of what actions were taken, which operators can share with the defending team at the end of an assessment.

Copy-paste prompts

Prompt 1
I am running an authorized red team engagement, how do I set up Covenant and create my first Grunt payload for a Windows target machine?
Prompt 2
How do I configure a custom network profile in Covenant to make C2 traffic blend in with normal HTTPS traffic patterns?
Prompt 3
Set up Covenant in Docker for a red team operation where multiple operators need simultaneous dashboard access, show me the Docker setup.
Prompt 4
How does Covenant's Roslyn-based payload compilation work, and why does compiling at generation time help with obfuscation compared to shipping static files?
Open on GitHub → Explain another repo

← cobbr on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.