valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update win_susp_covenant.yml

Browse Source
This commit is contained in:
Jonhnathan 2020-11-20 02:36:20 -03:00 committed by GitHub
parent ec1944e2d7
commit 31e0cfb13f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
rules/windows/process_creation/win_susp_covenant.yml
View File

@ -4,7 +4,7 @@ description: Detects suspicious command lines used in Covenant luanchers
status: experimental
references:
- https://posts.specterops.io/covenant-v0-5-eee0507b85ba
author: Florian Roth
author: Florian Roth, Jonhnathan Ribeiro, oscd.community
date: 2020/06/04
tags:
- attack.execution
@ -17,12 +17,19 @@ logsource:
product: windows
detection:
selection:
CommandLine|contains|all:
- '-Sta'
- '-Nop'
- '-Window'
- 'Hidden'
CommandLine|contains:
- '-Command'
- '-EncodedCommand'
selection2:
CommandLine|contains:
- ' -Sta -Nop -Window Hidden -Command '
- ' -Sta -Nop -Window Hidden -EncodedCommand '
- 'sv o (New-Object IO.MemorySteam);sv d '
- 'mshta file.hta'
- 'GruntHTTP'
- '-EncodedCommand cwB2ACAAbwAgA'
condition: selection
condition: selection or selection2
level: high