From 2e77e6528503c5f2bd80ca07e1ccc64eb381758e Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Fri, 5 Jun 2020 11:03:28 +0200
Subject: [PATCH] rule: Covenant launchers

---
 .../process_creation/win_susp_covenant.yml    | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/windows/process_creation/win_susp_covenant.yml

diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml
new file mode 100644
index 000000000..8f0f92a6f
--- /dev/null
+++ b/rules/windows/process_creation/win_susp_covenant.yml
@@ -0,0 +1,25 @@
+title: Covenant Launcher Indicators
+id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
+description: Detects suspicious command lines used in Covenant luanchers
+status: experimental
+references:
+    - https://posts.specterops.io/covenant-v0-5-eee0507b85ba
+author: Florian Roth
+date: 2020/06/04
+tags:
+  - attack.execution
+  - attack.t1086
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains:
+            - ' -Sta -Nop -Window Hidden -Command '
+            - ' -Sta -Nop -Window Hidden -EncodedCommand '
+            - 'sv o (New-Object IO.MemorySteam);sv d '
+            - 'mshta file.hta'
+            - 'GruntHTTP'
+            - '-EncodedCommand cwB2ACAAbwAgA'
+    condition: selection
+level: high