This is the first part of a series of blog posts about my recent work with the open source C2 framework Covenant.
For quite some time now, I was trying to get the most recent version of Rubeus integrated into Covenant. While we at avantguard cyber security GmbH did not use Covenant in active engagements recently anymore and have switched to other, closed source C2 frameworks, Covenant is still my favorite C2. So in labs and research projects, I always use Covenant's dev branch and am trying to improve different aspects of it. Sometimes, this leads to a lot more work than what I initially expect
The most prevalent reason to update Rubeus is that in the version used in Covenant's dev branch (v1.5.0), there is a bug in the calculation of a machine account's hash. This has cost me some time in a lab since I was not aware of this bug and there are a dozen more things that could have been wrong at that step of the attack. But even without that specific bug, Rubeus has seen a lot of interesting updates, especially for AD CS related attacks.
I will spare you the details about what errors I encountered and will instead just show my solution. If you want to see the errors, just replace the Rubeus source folder in Covenant and run a Rubeus task on a Grunt.
The following steps allowed me to compile the newest Rubeus version in Covenant's dev branch:
- Download and copy the most recent Rubeus source code to Covenant's ReferenceSourceLibrary folder (Covenant/Covenant/Data/ReferenceSourceLibraries/Rubeus). Make sure the folder structure stays the same.
- In Covenant's web interface, go to the Tasks menu (the one from the left menu, not the tab in an active Grunt). Search for the Rubeus task and edit it. It's important to know that since version 1.6.4, Rubeus is .NET 4.0+ compatible only. That means that we have to remove Net35 from the CompatibleDotNetVersions dropdown menu. Additionally, we have to enable UnsafeCompile.
Also, we have to add five ReferenceAssemblies:
- System.Data.dll (Net40)
- System.Security.dll (Net40)
- System.Data.DataSetExtensions.dll (Net40)
- System.DirectoryServices.Protocols.dll
- System.XML.dll
- After saving your changes, switch to the Reference Source Libraries tab in the Tasks menu. Here, try to edit the Rubeus library. For me, this led to an error in Covenant that crashed the server, but it might work. Remove Net35 from CompatibleDotNetVersions here too. If saving the changes crashes your server too, do the following:
- Stop the Covenant server with ctrl+c.
- We can edit the configuration directly in Covenant's database: sqlitebrowser Covenant/Covenant/Data/covenant.db
- Browse the ReferenceSourceLibraries table and edit the Rubeus entry. Change the CompatibleDotNetVersions value from [0,1] to [1].
- Again, save all changes. The last step is to disable the code optimization for Rubeus tasks. The optimization seems to suffer from a bug where namespaces are removed even though they would be required. Modify line 212 from Covenant/Covenant/Models/Grunts/GruntTask.cs to look like this:
Optimize = !this.ReferenceSourceLibraries.Select(RSL => RSL.Name).Contains("Seatbelt") && !this.ReferenceSourceLibraries.Select(RSL => RSL.Name).Contains("Rubeus")
- Use dotnet clean and dotnet run to rebuild and start Covenant again. Run a Rubeus command in an active Grunt and if everything worked, the task should compile correctly and show the updated version.
I have not tried updating the other source libraries yet. SharpSploit is already the most recent version, but it could be interesting to update the other ones as well. I hope this blog post can help others who face the same struggles when trying to update stuff in Covenant or adding new tasks. Try to disable optimization and remember to add the required reference assemblies to the task.
If you are using Covenant, check out our GitHub repo where we will be releasing some tasks and additions: Covenant-Additions
Thanks for reading! As always, feel free to send any questions or remarks to research@avantguard.io or contact me in the BloodHoundGang slack (user @jannlemm0913).