The hypothesis is that the detection of the Empire component Invoke-DllInjection.ps1 indicates potential lateral movement or persistence via DLL injection, which adversaries use to execute code in the memory space of other processes. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that leverage PowerShell-based injection techniques to evade traditional detection methods.
YARA Rule
rule Empire_Invoke_DllInjection {
meta:
description = "Detects Empire component - file Invoke-DllInjection.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0"
strings:
$s1 = "-Dll evil.dll" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 40KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 1 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to run a legitimate script for DLL injection as part of a debugging or testing process.
Filter/Exclusion: Check for the presence of a known legitimate script or tool (e.g., Debug-Process.ps1) in the script path or use a filter like process.name == "powershell.exe" and script.name == "Debug-Process.ps1".
Scenario: A scheduled job is configured to run the Invoke-DllInjection.ps1 script as part of a regular maintenance task, such as updating or patching a service.
Filter/Exclusion: Use a filter like process.name == "schtasks.exe" or check the job name against a known whitelist of approved maintenance scripts.
Scenario: A security tool like OSSEC or Microsoft Defender for Endpoint is using PowerShell scripts (including Invoke-DllInjection.ps1) for internal monitoring or analysis.
Filter/Exclusion: Check the script path or use a filter like script.path contains "C:\\Program Files\\Microsoft\\Defender\\..." or script.path contains "C:\\OSSEC\\...".
Scenario: A third-party application (e.g., Wireshark, Process Monitor, or Procmon) is using PowerShell scripts to inject DLLs for monitoring or analysis purposes.
Filter/Exclusion: Use a filter like script.path contains "C:\\Program Files\\Wireshark\\" or script.path contains "C:\\Windows\\System32\\Procmon64.exe".
Scenario: A development team is using PowerShell to deploy or test a custom application that requires DLL injection for compatibility or testing.
Filter/Exclusion: Check for the presence of a known development tool or project directory (e.g