Detects Empire component - file Get-Keystrokes.ps1

Hunt Hypothesis

The hunt hypothesis detects potential adversary use of the Empire module Get-Keystrokes.ps1 to exfiltrate keystroke data, indicating possible credential harvesting or sensitive information theft. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and prevent further lateral movement or data exfiltration.

YARA Rule

rule Empire_Get_Keystrokes {
   meta:
      description = "Detects Empire component - file Get-Keystrokes.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      hash1 = "c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad"
   strings:
      $s1 = "$RightMouse   = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000" fullword ascii
   condition:
      ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to retrieve keystroke data for Windows Event Log analysis as part of a security audit.
  Filter/Exclusion: Check for the presence of EventLog or Get-WinEvent in the command line or script context.

• Scenario: A scheduled job runs a PowerShell script that uses Get-Keystrokes.ps1 as part of a log collection pipeline for centralized logging.
  Filter/Exclusion: Filter by the job name or schedule name, such as LogCollectionJob or DailyLogGather.

• Scenario: A third-party security tool (e.g., Microsoft Defender for Endpoint) uses a script named Get-Keystrokes.ps1 to collect user input for behavioral analysis.
  Filter/Exclusion: Check for the presence of known security tool paths or process names like MsDefender.exe or MicrosoftDefender.

• Scenario: A Windows service or background process (e.g., Sysmon or LogParser) uses PowerShell to capture keystrokes for compliance or monitoring purposes.
  Filter/Exclusion: Filter by process name or parent process, such as Sysmon64.exe or LogParser.exe.

• Scenario: A DevOps pipeline runs a PowerShell script that includes Get-Keystrokes.ps1 as part of a CI/CD automation task for testing user input handling.
  Filter/Exclusion: Check for the presence of CI/CD tool names like AzureDevOps or Jenkins in the command line or environment variables.