Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

HackTool - Covenant PowerShell Launcher

Detects suspicious command lines used in Covenant luanchers

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.communityCreated Thu Jun 04Updated Tue Feb 21c260b6db-48ba-4b4a-a76f-2f67644e99d2windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection_1:
        CommandLine|contains|all:
            - '-Sta'
            - '-Nop'
            - '-Window'
            - 'Hidden'
        CommandLine|contains:
            - '-Command'
            - '-EncodedCommand'
    selection_2:
        CommandLine|contains:
            - 'sv o (New-Object IO.MemorySteam);sv d '
            - 'mshta file.hta'
            - 'GruntHTTP'
            - '-EncodedCommand cwB2ACAAbwAgA'
    condition: 1 of selection_*
References
1
Resolving title…
posts.specterops.io
MITRE ATT&CK
Rule Metadata
Rule ID
c260b6db-48ba-4b4a-a76f-2f67644e99d2
Status
test
Level
high
Type
Detection
Created
Thu Jun 04
Modified
Tue Feb 21
Author
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
Path
rules/windows/process_creation/proc_creation_win_hktl_covenant.yml
Raw Tags
attack.executionattack.defense-evasionattack.t1059.001attack.t1564.003
View on GitHub