[Emerging-Sigs] SIGS: Covenant Framework

Jason Williams jwilliams at emergingthreats.net
Sun Aug 4 06:07:17 HDT 2019


Nice!

Will get this in QA for monday.

Thanks very much!

On Sun, Aug 4, 2019 at 6:34 AM Kevin Ross via Emerging-sigs <
emerging-sigs at lists.emergingthreats.net> wrote:

> Hi,
>
> Here are some initial signatures for the Covenent framework. Now
> PowerShell Empire is EOL I can see this replacing it especially now it has
> a GUI and has some very nice features.
>
> Kind Regards,
> Kevin Ross
>
> # C2
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Covenant Framework Default HTTP Beacon"; flow:established,to_server;
> content:"POST"; http_method; content:"/en-us/"; http_uri; depth:7;
> content:"i="; http_client_body; depth:2; content:"&data=";
> http_client_body; distance:0; content:"&session="; http_client_body;
> distance:0; threshold: type limit, count 1, seconds 60, track by_src;
> classtype:trojan-activity; reference:url,github.com/cobbr/Covenant;
> reference:url,
> posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
> sid:123311; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Covenant Framework HTTP Beacon"; flow:established,to_server;
> content:"POST"; http_method; content:"=eyJHVUlEIjoi"; http_client_body;
> pcre:"/eyJHVUlEIjoi.+(IlR5cGUiO|JUeXBlIj|iVHlwZSI6)/Psm"; threshold: type
> limit, count 1, seconds 60, track by_src; classtype:trojan-activity;
> reference:url,github.com/cobbr/Covenant; reference:url,
> posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
> sid:123312; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> Covenant Framework HTTP Hello World Server Response";
> flow:established,to_client; file_data; content:"Hello World! eyJHVUlEIjoi";
> fast_pattern:6,19; threshold: type limit, count 1, seconds 60, track
> by_dst; classtype:trojan-activity; reference:url,
> posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
> sid:182311; rev:1;)
>
> # Stager HTTP Delivery
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> Possible Covenant Framework Grunt Stager HTTP Download
> (Grunt.GruntStager)"; flow:established,to_client;
> content:".CreateInstance(|27|Grunt.GruntStager|27|)"; fast_pattern:17,19;
> classtype:trojan-activity; reference:url,github.com/cobbr/Covenant;
> reference:url,
> posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
> sid:144111; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> Possible Covenant Framework Grunt Stager HTTP Download (DynamicInvoke)";
> flow:established,to_client; content:"toStream(assembly_str)";
> content:"delegate.DynamicInvoke(array.ToArray()).CreateInstance(";
> distance:0; fast_pattern:9,20; classtype:trojan-activity; reference:url,
> github.com/cobbr/Covenant; reference:url,
> posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
> sid:144112; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> Possible Covenant Framework Grunt PowerShell Stager HTTP Download";
> flow:established,to_client; content:"IO.Compression.CompressionMode]|3A
> 3A|Decompress"; content:".Value.Write("; distance:0;
> content:"Reflection.Assembly]|3A 3A|Load("; fast_pattern; distance:0;
> content:".EntryPoint.Invoke("; distance:0; content:"Out-Null"; distance:0;
> classtype:trojan-activity; reference:url,github.com/cobbr/Covenant;
> reference:url,
> posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
> sid:144113; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> Possible Covenant Framework Grunt MSBuild Stager HTTP Download";
> flow:established,to_client;
> content:"System.IO.Compression.CompressionMode.Decompress";
> content:"System.Reflection.Assembly.Load("; distance:0;
> content:".EntryPoint.Invoke("; distance:0; fast_pattern; content:"|3C
> 2F|UsingTask|3E|"; distance:0; classtype:trojan-activity; reference:url,
> github.com/cobbr/Covenant; reference:url,
> posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462;
> sid:144114; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20190804/e06faae4/attachment-0001.html>


More information about the Emerging-sigs mailing list