The detection of the Empire component Get-SecurityPackages.ps1 indicates potential adversary use of PowerShell-based reconnaissance to gather security package information, which may aid in evasion or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage adversary activity and prevent further compromise.
YARA Rule
rule Empire_Get_SecurityPackages {
meta:
description = "Detects Empire component - file Get-SecurityPackages.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1"
strings:
$s1 = "$null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)" fullword ascii
$s2 = "$EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: A system administrator is running a legitimate PowerShell script to audit security packages as part of a routine compliance check.
Filter/Exclusion: Check for the presence of a known legitimate script (e.g., Get-SecurityPackages.ps1 from Microsoft’s Security Compliance Manager) and verify the script’s source path matches a trusted enterprise repository.
Scenario: A scheduled job is configured to run a PowerShell script that is part of a security monitoring tool, which includes a file named Get-SecurityPackages.ps1.
Filter/Exclusion: Filter by the job name or the path of the script, ensuring it originates from a known security tool or enterprise monitoring system.
Scenario: A third-party security tool or endpoint protection platform includes a script named Get-SecurityPackages.ps1 as part of its configuration or remediation process.
Filter/Exclusion: Exclude scripts that are located in directories associated with known security tools (e.g., C:\Program Files\Microsoft Security Compliance Manager\).
Scenario: An IT admin is manually executing a script to check for security package configurations during a security incident response.
Filter/Exclusion: Use process parent filtering to exclude scripts executed from known administrative tools (e.g., PowerShell.exe launched from Taskmgr.exe or mmc.exe).
Scenario: A PowerShell module or module update process includes a file named Get-SecurityPackages.ps1 as part of a module installation or upgrade.
Filter/Exclusion: Exclude files that are part of a known module update or installation process, such as those located in the PSModulePath directory or within a temporary installation folder.