HackTool - Covenant PowerShell Launcher
Detects suspicious command lines used in Covenant luanchers
Sigma rule (View on GitHub)
1title: HackTool - Covenant PowerShell Launcher
2id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
3status: test
4description: Detects suspicious command lines used in Covenant luanchers
5references:
6 - https://posts.specterops.io/covenant-v0-5-eee0507b85ba
7author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
8date: 2020-06-04
9modified: 2023-02-21
10tags:
11 - attack.execution
12 - attack.defense-evasion
13 - attack.t1059.001
14 - attack.t1564.003
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_1:
20 CommandLine|contains|all:
21 - '-Sta'
22 - '-Nop'
23 - '-Window'
24 - 'Hidden'
25 CommandLine|contains:
26 - '-Command'
27 - '-EncodedCommand'
28 selection_2:
29 CommandLine|contains:
30 - 'sv o (New-Object IO.MemorySteam);sv d '
31 - 'mshta file.hta'
32 - 'GruntHTTP'
33 - '-EncodedCommand cwB2ACAAbwAgA'
34 condition: 1 of selection_*
35level: high
References
Related rules
- ConvertTo-SecureString Cmdlet Usage Via CommandLine
- Detection of PowerShell Execution via Sqlps.exe
- Execute Code with Pester.bat
- Execute Code with Pester.bat as Parent
- Greenbug Espionage Group Indicators