Detects Empire component - file Get-GPPPassword.ps1

Hunt Hypothesis

The hunt hypothesis detects the use of the Empire component Get-GPPPassword.ps1, which is commonly used by adversaries to extract credentials from Group Policy Preferences. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft activities and mitigate lateral movement risks.

YARA Rule

rule Empire_Get_GPPPassword {
   meta:
      description = "Detects Empire component - file Get-GPPPassword.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      hash1 = "55a4519c4f243148a971e4860225532a7ce730b3045bde3928303983ebcc38b0"
   strings:
      $s1 = "$Base64Decoded = [Convert]::FromBase64String($Cpassword)" fullword ascii
      $s2 = "$XMlFiles += Get-ChildItem -Path \"\\\\$DomainController\\SYSVOL\" -Recurse" ascii
      $s3 = "function Get-DecryptedCpassword {" fullword ascii
   condition:
      ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to manually retrieve Group Policy Preferences (GPP) passwords for audit purposes.
  Filter/Exclusion: Check for the presence of Get-GPPPassword.ps1 in known admin tooling paths (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\Modules\) and exclude execution from admin user accounts or during scheduled audit tasks.

• Scenario: A scheduled job runs a legitimate PowerShell script that includes the Get-GPPPassword.ps1 script for password management in a secure environment.
  Filter/Exclusion: Exclude execution from scheduled tasks with known names (e.g., PasswordAuditJob) or from specific service accounts used for password management.

• Scenario: A third-party security tool or endpoint detection and response (EDR) platform includes Get-GPPPassword.ps1 as part of its own PowerShell module for threat hunting.
  Filter/Exclusion: Exclude execution from known EDR or security tool paths (e.g., C:\Program Files\EDR\Tools) or from processes associated with those tools.

• Scenario: A Windows Update or patching process temporarily executes a PowerShell script that includes Get-GPPPassword.ps1 as part of a configuration check.
  Filter/Exclusion: Exclude execution from processes related to Windows Update (e.g., wuauclt.exe, svchost.exe) or during known patching windows.

• Scenario: A devops pipeline or CI/CD tool (e.g., Jenkins, Azure DevOps) runs a PowerShell script that includes Get-GPPPassword.ps1 for configuration validation.
  Filter/Exclusion: Exclude execution from known CI/CD tool paths (e.g., C:\Program Files\Jenkins) or from processes associated with specific CI/