title: Covenant Launcher Indicators
author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2020/06/04
description: Detects suspicious command lines used in Covenant luanchers
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine: '*-Sta*'
  SELECTION_3:
    CommandLine: '*-Nop*'
  SELECTION_4:
    CommandLine: '*-Window*'
  SELECTION_5:
    CommandLine: '*Hidden*'
  SELECTION_6:
    CommandLine:
    - '*-Command*'
    - '*-EncodedCommand*'
  SELECTION_7:
    CommandLine:
    - '*sv o (New-Object IO.MemorySteam);sv d *'
    - '*mshta file.hta*'
    - '*GruntHTTP*'
    - '*-EncodedCommand cwB2ACAAbwAgA*'
  condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
    and SELECTION_6) or SELECTION_7))
id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
level: high
logsource:
  category: process_creation
  product: windows
references:
- https://posts.specterops.io/covenant-v0-5-eee0507b85ba
status: experimental
tags:
- attack.execution
- attack.defense_evasion
- attack.t1059.001
- attack.t1564.003
- attack.t1086
ruletype: SIGMA