diff --git a/ssl/c2/covenant-c2-ssl.yaml b/ssl/c2/covenant-c2-ssl.yaml
new file mode 100644
index 0000000000..e58faa1c64
--- /dev/null
+++ b/ssl/c2/covenant-c2-ssl.yaml
@@ -0,0 +1,28 @@
+id: covenant-c2-ssl
+
+info:
+  name: Covenant C2 SSL - Detect
+  author: pussycat0x
+  severity: info
+  description: |
+    Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier,and serve as a collaborative command and control platform for red teamers.
+  reference: |
+    https://twitter.com/MichalKoczwara/status/1548685058403360770
+  metadata:
+    verified: "true"
+    shodan-query: ssl:”Covenant” http.component:”Blazor”
+  tags: c2,ir,osint,covenant,ssl
+
+ssl:
+  - address: "{{Host}}:{{Port}}"
+
+    matchers:
+      - type: word
+        part: subject_dn
+        words:
+          - "CN=Covenant"
+
+    extractors:
+      - type: json
+        json:
+          - ".subject_dn"