Detects Empire component - file Install-SSP.ps1

Hunt Hypothesis

The detection of the Install-SSP.ps1 file may indicate the presence of the Empire framework being used to establish persistence or execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversary activity that could lead to long-term access or data exfiltration.

YARA Rule

rule Empire_Install_SSP {
   meta:
      description = "Detects Empire component - file Install-SSP.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      hash1 = "7fd921a23950334257dda57b99e03c1e1594d736aab2dbfe9583f99cd9b1d165"
   strings:
      $s1 = "Install-SSP -Path .\\mimilib.dll" fullword ascii
   condition:
      ( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: A system administrator is deploying a legitimate PowerShell script named Install-SSP.ps1 as part of a software update process.
  Filter/Exclusion: Check for the presence of a known legitimate script path, such as C:\SoftwareUpdates\Install-SSP.ps1, and ensure the script is signed by a trusted certificate or signed by a known internal signing authority.

• Scenario: A scheduled job runs the Install-SSP.ps1 script as part of a regular maintenance task, such as patch management or configuration synchronization.
  Filter/Exclusion: Filter by the job name or ID, such as ScheduledJob-UpdateManager, and check if the script is executed under a service account with known administrative privileges.

• Scenario: A third-party tool or service (e.g., Microsoft Intune, SCCM, or Azure DevOps) executes the Install-SSP.ps1 script during a deployment or configuration process.
  Filter/Exclusion: Include the source of the execution, such as the process name msiexec.exe, powershell.exe with a known command-line argument, or the originating IP address from a trusted management system.

• Scenario: A developer or DevOps team uses the Install-SSP.ps1 script as part of a CI/CD pipeline to configure a test or staging environment.
  Filter/Exclusion: Filter by the user account (e.g., devops-user) or the execution context (e.g., C:\CI_CD\scripts\Install-SSP.ps1), and verify the script is part of a known development or testing environment.

• Scenario: A system is running a legitimate PowerShell module or script that coincidentally shares the same name as the Empire component (Install-SSP.ps1).
  Filter/Exclusion: Check for the presence of a module or script path that