Detects Empire component - file Invoke-EgressCheck.ps1

Hunt Hypothesis

The hypothesis is that the presence of the Invoke-EgressCheck.ps1 file indicates potential adversary use of the Empire framework to establish covert communication channels. SOC teams should proactively hunt for this artifact in Azure Sentinel to identify early-stage compromise and prevent data exfiltration.

YARA Rule

rule Empire_Invoke_EgressCheck {
   meta:
      description = "Detects Empire component - file Invoke-EgressCheck.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      hash1 = "e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534"
   strings:
      $s1 = "egress -ip $ip -port $c -delay $delay -protocol $protocol" fullword ascii
   condition:
      ( uint16(0) == 0x233c and filesize < 10KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 1 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to perform a legitimate network connectivity test using Test-NetConnection as part of a routine network health check.
  Filter/Exclusion: Check for the presence of Test-NetConnection in the command line, or exclude processes initiated by known admin accounts (e.g., Administrator, Domain Admins) during scheduled maintenance windows.

• Scenario: A scheduled job runs a PowerShell script that includes the string Invoke-EgressCheck.ps1 as part of a custom logging or monitoring script.
  Filter/Exclusion: Exclude scripts that are located in known internal script directories (e.g., C:\Tools\, C:\CustomScripts\) or that are signed by a trusted internal certificate.

• Scenario: A security analyst is using the Empire framework for red teaming or penetration testing, and the Invoke-EgressCheck.ps1 script is part of a legitimate simulation.
  Filter/Exclusion: Exclude processes that are running from Empire’s known module paths (e.g., C:\Empire\, C:\Tools\Empire\) or that are initiated by a user with a specific security clearance (e.g., RedTeamUser).

• Scenario: A backup or synchronization job uses a third-party tool (e.g., rsync, RoboCopy, SyncToy) that inadvertently includes the string Invoke-EgressCheck.ps1 in its configuration or logs.
  Filter/Exclusion: Exclude processes initiated by backup services (e.g., BackupService, SyncService) or those that are running from known backup directories (e.g., C:\Backup\, D:\Sync\).

• Scenario: A system update or patching tool (e.g., Windows Update, WSUS, Microsoft Update) runs a PowerShell script that includes the string `Invoke-Egress