Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1

Hunt Hypothesis

The hypothesis is that an adversary is using the Empire module Invoke-InveighRelay.ps1 to establish a covert relay for command and control communication. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or exfiltration activities early in the attack lifecycle.

YARA Rule

rule Empire_Invoke_InveighRelay_Gen {
   meta:
      description = "Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      super_rule = 1
      hash2 = "21b90762150f804485219ad36fa509aeda210d46453307a9761c816040312f41"
   strings:
      $s1 = "$inveigh.SMBRelay_failed_list.Add(\"$HTTP_NTLM_domain_string\\$HTTP_NTLM_user_string $SMBRelayTarget\")" fullword ascii
      $s2 = "$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)" fullword ascii
   condition:
      ( uint16(0) == 0x7566 and filesize < 200KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: Legitimate PowerShell script used by Inveigh tool for network reconnaissance
  Filter/Exclusion: Check for presence of Inveigh in the script path or use a filter like process.parent.name == "powershell.exe" and process.name == "powershell.exe" with script_name contains "Inveigh"

• Scenario: Scheduled job running PowerShell scripts for system maintenance (e.g., Invoke-Command for patching)
  Filter/Exclusion: Use a filter like process.parent.name == "schtasks.exe" or check for script_name contains "patch" or script_name contains "maintenance"

• Scenario: Admin task using PowerShell to configure network settings (e.g., Invoke-NetAdapter or Set-NetIPInterface)
  Filter/Exclusion: Filter by script_name contains "NetAdapter" or script_name contains "NetIPInterface" or check for process.parent.name == "task scheduler"

• Scenario: PowerShell remoting session initiated by a legitimate admin for remote management
  Filter/Exclusion: Check for process.parent.name == "winrm.exe" or process.parent.name == "powershell.exe" with script_name contains "remoting" or script_name contains "PSRemoting"

• Scenario: Custom script developed in-house that uses similar naming or syntax to the Empire component
  Filter/Exclusion: Use a filter like script_name contains "custom" or script_name contains "internal" or check for process.parent.name == "notepad.exe" or process.parent.name == "visualstudio.exe"