The hypothesis is that the presence of the Exploit-Jenkins.ps1 file indicates potential adversarial use of Empire to exploit Jenkins servers. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise attempts and prevent lateral movement within the environment.
YARA Rule
rule Empire_Exploit_Jenkins {
meta:
description = "Detects Empire component - file Exploit-Jenkins.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "a5182cccd82bb9984b804b365e07baba78344108f225b94bd12a59081f680729"
strings:
$s1 = "$postdata=\"script=println+new+ProcessBuilder%28%27\"+$($Cmd)+\"" ascii
$s2 = "$url = \"http://\"+$($Rhost)+\":\"+$($Port)+\"/script\"" fullword ascii
$s3 = "$Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)" fullword ascii
condition:
( uint16(0) == 0x6620 and filesize < 7KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: A system administrator is performing a scheduled maintenance task that involves running a legitimate PowerShell script named Exploit-Jenkins.ps1 as part of a Jenkins CI/CD pipeline configuration update.
Filter/Exclusion: Check for presence of Jenkins in the script path or command line arguments, or verify if the script is located in a known Jenkins directory (e.g., C:\Program Files (x86)\Jenkins\).
Scenario: A security team member is testing the Empire framework in a controlled lab environment, and the script Exploit-Jenkins.ps1 is being executed as part of a red team simulation.
Filter/Exclusion: Include a field for source_ip or user that matches known internal security testing IPs or user accounts (e.g., security-team or test-user).
Scenario: A legitimate system update or patching process includes a PowerShell script named Exploit-Jenkins.ps1 that is used to configure Jenkins agent nodes during an automated deployment.
Filter/Exclusion: Filter based on the script’s location (e.g., C:\Windows\System32\) or check for presence of patch or update in the command line or script content.
Scenario: A developer is using a third-party tool like Powershell ISE or PowerShell Core to debug or test a script named Exploit-Jenkins.ps1 that is part of a legitimate Jenkins integration project.
Filter/Exclusion: Include a filter for ProcessName such as powershell.exe or pwsh.exe, and check for presence of debug or test in the command line arguments.
Scenario: A DevOps engineer is using Ansible or Chef to deploy a configuration script named Exploit-Jenkins.ps1 that is