The detection identifies potential Empire module usage associated with credential injection and Mimikatz execution, which are commonly used for credential harvesting and lateral movement. SOC teams should proactively hunt for this behavior to identify and mitigate advanced persistent threat (APT) activities leveraging PowerShell-based attack vectors in their Azure Sentinel environment.
YARA Rule
rule Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen {
meta:
description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
strings:
$s1 = "$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle" fullword ascii
$s2 = "$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 4 string patterns in its detection logic.
Scenario: Legitimate PowerShell Script Execution
Description: A system administrator is running a legitimate PowerShell script that includes the name Invoke-CredentialInjection.ps1 as part of a script name or logging.
Filter/Exclusion: Check for the presence of Administrators or System user context, and verify if the script is located in a known trusted directory (e.g., C:\Windows\System32\ or C:\Program Files\). Use a filter like:
(ProcessUser != "Administrators") && (FileDirectory != "C:\\Windows\\System32\\" && FileDirectory != "C:\\Program Files\\")Scenario: Scheduled Job for Credential Harvesting (Legitimate Use)
Description: A scheduled job is configured to run a script that mimics the behavior of Invoke-Mimikatz.ps1 as part of a legitimate credential management process.
Filter/Exclusion: Check for the presence of a known legitimate job name or job ID, and verify if the script is part of a documented credential management process. Use a filter like:
(JobName contains "CredentialManagement") || (ProcessUser contains "IT-Admin")Scenario: PowerShell Module Import (Legitimate)
Description: A PowerShell module is being imported that contains a function named Invoke-CredentialInjection as part of its exported functions.
Filter/Exclusion: Check for module imports from trusted repositories or internal repositories, and ensure the module is signed by a known publisher. Use a filter like:
(ModulePath contains "PSModuleRepository") || (ModulePublisher contains "Microsoft")Scenario: Mimikatz Used for Security Auditing (Legitimate)
Description: A security team is using Mimikatz