Detects Empire component - file dumpCredStore.ps1

Hunt Hypothesis

The hypothesis is that the detection of the Empire component file dumpCredStore.ps1 indicates an adversary is attempting to exfiltrate stored credentials from the system. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft activities early and prevent further lateral movement or persistence.

YARA Rule

rule Empire_dumpCredStore {
   meta:
      description = "Detects Empire component - file dumpCredStore.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      hash1 = "c1e91a5f9cc23f3626326dab2dcdf4904e6f8a332e2bce8b9a0854b371c2b350"
   strings:
      $x1 = "[DllImport(\"Advapi32.dll\", SetLastError = true, EntryPoint = \"CredReadW\"" ascii
      $s12 = "[String] $Msg = \"Failed to enumerate credentials store for user '$Env:UserName'\"" fullword ascii
      $s15 = "Rtn = CredRead(\"Target\", CRED_TYPE.GENERIC, out Cred);" fullword ascii
   condition:
      ( uint16(0) == 0x233c and filesize < 40KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: Legitimate PowerShell script execution by System administrators
  Description: A System administrator runs the dumpCredStore.ps1 script as part of a scheduled maintenance task to audit or manage credentials.
  Filter/Exclusion: Exclude processes initiated by SYSTEM or NT AUTHORITY\SYSTEM and where the script path is within a known admin tools directory (e.g., C:\Windows\System32\ or C:\Tools\AdminScripts\).

• Scenario: Scheduled job for credential management
  Description: A scheduled job runs dumpCredStore.ps1 to periodically export or clean up credentials stored in the Credential Manager.
  Filter/Exclusion: Exclude processes that are part of a known scheduled task (e.g., Task Scheduler or schtasks.exe) and where the script is located in a trusted directory (e.g., C:\Windows\System32\Tasks\).

• Scenario: PowerShell script used for legitimate credential auditing
  Description: A security team uses dumpCredStore.ps1 as part of a security assessment or audit to check for misconfigured credentials.
  Filter/Exclusion: Exclude processes initiated by a known security tool or user (e.g., Local Security Authority Subsystem Service or SecurityOperationsUser) and where the script is located in a security tool directory (e.g., C:\SecurityTools\).

• Scenario: Script execution during a software update or patching process
  Description: A patching tool or update process runs dumpCredStore.ps1 as part of a configuration cleanup or migration task.
  Filter/Exclusion: Exclude processes initiated by a known patching tool (e.g., Microsoft Update, WSUS, or SCCM) and where the script is located in a patching tool directory (e.g