Detects suspicious command lines used in Covenant luanchers
title: HackTool - Covenant PowerShell Launcher
id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
status: test
description: Detects suspicious command lines used in Covenant luanchers
references:
- https://posts.specterops.io/covenant-v0-5-eee0507b85ba
author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
date: 2020-06-04
modified: 2023-02-21
tags:
- attack.execution
- attack.stealth
- attack.t1059.001
- attack.t1564.003
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- '-Sta'
- '-Nop'
- '-Window'
- 'Hidden'
CommandLine|contains:
- '-Command'
- '-EncodedCommand'
selection_2:
CommandLine|contains:
- 'sv o (New-Object IO.MemorySteam);sv d '
- 'mshta file.hta'
- 'GruntHTTP'
- '-EncodedCommand cwB2ACAAbwAgA'
condition: 1 of selection_*
level: high
imProcessCreate
| where ((TargetProcessCommandLine contains "-Sta" and TargetProcessCommandLine contains "-Nop" and TargetProcessCommandLine contains "-Window" and TargetProcessCommandLine contains "Hidden") and (TargetProcessCommandLine contains "-Command" or TargetProcessCommandLine contains "-EncodedCommand")) or (TargetProcessCommandLine contains "sv o (New-Object IO.MemorySteam);sv d " or TargetProcessCommandLine contains "mshta file.hta" or TargetProcessCommandLine contains "GruntHTTP" or TargetProcessCommandLine contains "-EncodedCommand cwB2ACAAbwAgA")| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
No known false positives documented.