HackTool - Covenant PowerShell Launcher
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
HackTool - Covenant PowerShell Launcher | Standard | PowerShell Operational Logs, Windows Security Event Logs, Sysmon (Process Creation) | T1059.001: PowerShellT1105: Ingress Tool TransferT1027: Obfuscated Files or InformationT1218: Signed Binary Proxy Execution | High |
About the rule
Rule Type
Standard
Rule Description
Detects usage of PowerShell-based launchers associated with the Covenant C2 framework. These launchers are often obfuscated and used to establish communication with Covenant infrastructure during initial access or post-exploitation.
Severity
Trouble
Rule journey
Attack chain scenario
Initial Access → Execution (via Covenant PowerShell Launcher) → Defense Evasion (Hidden Window, Encoded Commands) → Command and Control (C2 via PowerShell/HTTP)
Impact
Remote Code Execution, Command and Control, Defense Evasion
Rule Requirement
Prerequisites
Windows Event Viewer
- Log in to a domain controller.
- Open GPMC (gpmc.msc) and edit/create a GPO.
- Go to:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking - Enable:
- Audit Process Creation (Success)
- Audit Process Termination (Success)
- Go to:
Computer Configuration > Administrative Templates > System > Audit Process Creation- Enable “Include command line in process creation events”
- Create registry key (if missing):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational
Sysmon
- Download and install Sysmon.
- Open Command Prompt as admin.
- Use a config file with <ProcessCreate onmatch="exclude"/>.
- Install Sysmon with config.
- Create registry key (if missing):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational
Criteria
Action1: actionname = "Process started" AND ((COMMANDLINE contains "-Sta" AND COMMANDLINE contains "-Nop" AND COMMANDLINE contains "-Window" AND COMMANDLINE contains "Hidden") AND COMMANDLINE contains "-Command,-EncodedCommand") OR COMMANDLINE contains "sv o (New-Object IO.MemorySteam);sv d ,mshta file.hta,GruntHTTP,-EncodedCommand cwB2ACAAbwAgA" select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
- T1059.001: PowerShell
- T1105: Ingress Tool Transfer
- T1027: Obfuscated Files or Information
- T1218: Signed Binary Proxy Execution
Security Standards
- NIST SP 800-53 Rev. 5 (SI-4, SI-7)
- ISO/IEC 27001 Annex A.12.4 (Logging and Monitoring)
- CIS Controls v8 – Control 8: Audit Log Management
Author
Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
Future actions
Known False Positives
Legitimate PowerShell scripts using base64-encoded commands (rare)
Next Steps
- Decode the PowerShell command for analysis
- Investigate network connections to known Covenant C2 domains or IPs
- Isolate the system and perform a forensic review
- Check persistence mechanisms (e.g., scheduled tasks, registry keys)
- Apply PowerShell logging and constrain language modes where possible
Mitigation
Mitigation ID | Mitigation Name | Description |
M1038 | Execution Prevention | Limit or restrict program execution using antivirus software. On macOS, allowlist only approved programs with the plist tag — all others should be considered suspicious. |
M1033 | Limit Software Installation | Restrict installation of software that could be abused to create hidden desktops (e.g., hVNC) to only those user groups that genuinely require it. |
M1049 | Antivirus / Antimalware | Use antivirus tools to automatically detect and quarantine suspicious files or scripts. |
M1045 | Code Signing | Enforce PowerShell execution policies to allow only signed scripts to run. |
M1042 | Disable or Remove Feature or Program | Consider removing PowerShell if not required. If used, review its necessity thoroughly. Disable or restrict the WinRM service to limit PowerShell-based remote execution. |
M1026 | Privileged Account Management | If PowerShell is required, limit its execution to administrators. Use Just Enough Administration (JEA) to sandbox and restrict allowed cmdlets in remote PowerShell sessions. Be aware that execution policies can be bypassed in some configurations. |
