Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1

Hunt Hypothesis

The hypothesis is that an adversary is leveraging Empire components to execute PowerShell-based attacks, potentially for credential dumping or process injection. SOC teams should proactively hunt for these artifacts in Azure Sentinel to identify early-stage compromise and prevent lateral movement or persistence.

YARA Rule

rule Empire_Invoke_Gen {
   meta:
      description = "Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      super_rule = 1
      hash1 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
      hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
      hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
   strings:
      $s1 = "$Shellcode1 += 0x48" fullword ascii
      $s2 = "$PEHandle = [IntPtr]::Zero" fullword ascii
   condition:
      ( uint16(0) == 0x7566 and filesize < 3000KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: Legitimate use of Invoke-DCSync.ps1 by the Active Directory team for synchronization tasks
  Filter/Exclusion: Check for presence of ADSync or ADSyncTools in the command line or file context, or filter by user/group ADAdmins

• Scenario: Scheduled job running Invoke-PSInject.ps1 as part of a legitimate PowerShell module deployment
  Filter/Exclusion: Filter by job name containing ModuleDeployment or PSModuleUpdate, and check for signed scripts with valid publisher

• Scenario: System administrator using Invoke-ReflectivePEInjection.ps1 to load a signed, trusted module into memory for performance monitoring
  Filter/Exclusion: Filter by user SysAdmin, check for presence of PSModule or PSFramework in the script context, and verify script signing status

• Scenario: Regular PowerShell script using Invoke-DCSync.ps1 as part of a backup or reporting tool
  Filter/Exclusion: Filter by script name or path containing Backup or Reporting, and check for execution in a known backup directory

• Scenario: IT support team using Invoke-PSInject.ps1 to inject a legitimate diagnostic tool into a service process
  Filter/Exclusion: Filter by user ITSupport, check for presence of DiagnosticTool or DiagTool in the script context, and verify script origin from a trusted source