The hypothesis is that the presence of multiple instances of the agent.ps1 file may indicate the deployment of the Empire framework by an adversary attempting to establish persistence. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
YARA Rule
rule Empire_Agent_Gen {
meta:
description = "Detects Empire component - from files agent.ps1, agent.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
hash2 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
strings:
$s1 = "$wc.Headers.Add(\"User-Agent\",$script:UserAgent)" fullword ascii
$s2 = "$min = [int]((1-$script:AgentJitter)*$script:AgentDelay)" fullword ascii
$s3 = "if ($script:AgentDelay -ne 0){" fullword ascii
condition:
( uint16(0) == 0x660a and filesize < 100KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Scheduled Job Running PowerShell Script for System Maintenance
Description: A legitimate scheduled task runs agent.ps1 as part of a system maintenance or patching process.
Filter/Exclusion: Check the file path and process context. Exclude scripts located in known system directories like C:\Windows\System32\ or those signed by a trusted internal CA.
Scenario: Admin Task to Deploy Configuration Management Agent
Description: An administrator deploys a configuration management agent using a script named agent.ps1 as part of a standard deployment process.
Filter/Exclusion: Exclude files that are part of known configuration management tools (e.g., Puppet, Ansible, Chef) or are signed by the organization’s internal signing certificate.
Scenario: PowerShell Script for Log Collection and Analysis
Description: A security or operations team uses a script named agent.ps1 to collect and analyze logs from various systems.
Filter/Exclusion: Exclude scripts that are located in log collection directories (e.g., C:\Logs\) or are executed by a known log collection tool (e.g., Splunk, ELK Stack).
Scenario: Test Environment Script Execution
Description: A test environment runs agent.ps1 as part of automated testing or simulation of security tools.
Filter/Exclusion: Exclude files in test directories (e.g., C:\Test\) or those executed by a known testing framework (e.g., PowerTest, Test-Script).
Scenario: Third-Party Tool Installation Script
Description: A third-party tool uses a script named agent.ps1 during installation or configuration.
Filter/Exclusion: Exclude files that are part of known third-party software (e.g., Microsoft Intune, Azure DevOps) or are signed by the vendor’s certificate.