HackTool - Covenant PowerShell Launcher

Feb 21, 2023 · attack.execution attack.defense_evasion attack.t1059.001 attack.t1564.003 ·

Detects suspicious command lines used in Covenant luanchers

Sigma rule (View on GitHub)

 1title: HackTool - Covenant PowerShell Launcher
 2id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
 3status: test
 4description: Detects suspicious command lines used in Covenant luanchers
 5references:
 6    - https://posts.specterops.io/covenant-v0-5-eee0507b85ba
 7author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
 8date: 2020/06/04
 9modified: 2023/02/21
10tags:
11    - attack.execution
12    - attack.defense_evasion
13    - attack.t1059.001
14    - attack.t1564.003
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_1:
20        CommandLine|contains|all:
21            - '-Sta'
22            - '-Nop'
23            - '-Window'
24            - 'Hidden'
25        CommandLine|contains:
26            - '-Command'
27            - '-EncodedCommand'
28    selection_2:
29        CommandLine|contains:
30            - 'sv o (New-Object IO.MemorySteam);sv d '
31            - 'mshta file.hta'
32            - 'GruntHTTP'
33            - '-EncodedCommand cwB2ACAAbwAgA'
34    condition: 1 of selection_*
35level: high

References

Covenant v0.5

Intro

Read More

HackTool - Covenant PowerShell Launcher

Sigma rule (View on GitHub)

References

Covenant v0.5

Related rules