[Emerging-Sigs] SIGS: Covenant Framework

Kevin Ross kevross33 at googlemail.com
Sun Aug 4 03:34:34 HDT 2019


Hi,

Here are some initial signatures for the Covenent framework. Now PowerShell
Empire is EOL I can see this replacing it especially now it has a GUI and
has some very nice features.

Kind Regards,
Kevin Ross

# C2
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Covenant Framework Default HTTP Beacon"; flow:established,to_server;
content:"POST"; http_method; content:"/en-us/"; http_uri; depth:7;
content:"i="; http_client_body; depth:2; content:"&data=";
http_client_body; distance:0; content:"&session="; http_client_body;
distance:0; threshold: type limit, count 1, seconds 60, track by_src;
classtype:trojan-activity; reference:url,github.com/cobbr/Covenant;
reference:url,
posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
sid:123311; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Covenant Framework HTTP Beacon"; flow:established,to_server;
content:"POST"; http_method; content:"=eyJHVUlEIjoi"; http_client_body;
pcre:"/eyJHVUlEIjoi.+(IlR5cGUiO|JUeXBlIj|iVHlwZSI6)/Psm"; threshold: type
limit, count 1, seconds 60, track by_src; classtype:trojan-activity;
reference:url,github.com/cobbr/Covenant; reference:url,
posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
sid:123312; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
Covenant Framework HTTP Hello World Server Response";
flow:established,to_client; file_data; content:"Hello World! eyJHVUlEIjoi";
fast_pattern:6,19; threshold: type limit, count 1, seconds 60, track
by_dst; classtype:trojan-activity; reference:url,
posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
sid:182311; rev:1;)

# Stager HTTP Delivery
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
Possible Covenant Framework Grunt Stager HTTP Download
(Grunt.GruntStager)"; flow:established,to_client;
content:".CreateInstance(|27|Grunt.GruntStager|27|)"; fast_pattern:17,19;
classtype:trojan-activity; reference:url,github.com/cobbr/Covenant;
reference:url,
posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
sid:144111; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
Possible Covenant Framework Grunt Stager HTTP Download (DynamicInvoke)";
flow:established,to_client; content:"toStream(assembly_str)";
content:"delegate.DynamicInvoke(array.ToArray()).CreateInstance(";
distance:0; fast_pattern:9,20; classtype:trojan-activity; reference:url,
github.com/cobbr/Covenant; reference:url,
posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
sid:144112; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
Possible Covenant Framework Grunt PowerShell Stager HTTP Download";
flow:established,to_client; content:"IO.Compression.CompressionMode]|3A
3A|Decompress"; content:".Value.Write("; distance:0;
content:"Reflection.Assembly]|3A 3A|Load("; fast_pattern; distance:0;
content:".EntryPoint.Invoke("; distance:0; content:"Out-Null"; distance:0;
classtype:trojan-activity; reference:url,github.com/cobbr/Covenant;
reference:url,
posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
sid:144113; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
Possible Covenant Framework Grunt MSBuild Stager HTTP Download";
flow:established,to_client;
content:"System.IO.Compression.CompressionMode.Decompress";
content:"System.Reflection.Assembly.Load("; distance:0;
content:".EntryPoint.Invoke("; distance:0; fast_pattern; content:"|3C
2F|UsingTask|3E|"; distance:0; classtype:trojan-activity; reference:url,
github.com/cobbr/Covenant; reference:url,
posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
sid:144114; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190804/e7eed42c/attachment.html>


More information about the Emerging-sigs mailing list