Detects Empire component - file Invoke-Mimikatz.ps1

Hunt Hypothesis

The detection of the Invoke-Mimikatz.ps1 file indicates potential credential dumping activity by an adversary leveraging PowerShell to extract credentials from memory. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage lateral movement and privilege escalation attempts.

YARA Rule

rule Empire_Invoke_Mimikatz_Gen {
   meta:
      description = "Detects Empire component - file Invoke-Mimikatz.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      hash1 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
   strings:
      $s1 = "= \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ" ascii
      $s2 = "Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, \"Void\", 0, \"\", $ExeArgs)" fullword ascii
   condition:
      ( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to run a legitimate Invoke-Mimikatz.ps1 script as part of a Windows Security Baseline Compliance Check.
  Filter/Exclusion: Check for the presence of the Microsoft Security Compliance Manager or Windows Defender in the process tree, or filter by the user account (e.g., NT AUTHORITY\SYSTEM or Administrators group).

• Scenario: A scheduled job is configured to run Invoke-Mimikatz.ps1 as part of a Microsoft Intune or Microsoft Endpoint Manager compliance task.
  Filter/Exclusion: Filter by job name or task ID associated with Microsoft Intune, or check for the presence of Microsoft Endpoint Manager in the process or registry.

• Scenario: A third-party security tool (e.g., Microsoft Defender for Endpoint, CrowdStrike, or SentinelOne) includes Invoke-Mimikatz.ps1 as part of its malware analysis or sandboxing process.
  Filter/Exclusion: Check for the presence of the security tool’s process name or signature, or filter by process parent (e.g., msdefender.exe, crowdstrike.exe).

• Scenario: A DevOps pipeline (e.g., Azure DevOps, GitHub Actions) runs Invoke-Mimikatz.ps1 as part of a CI/CD test or security validation process.
  Filter/Exclusion: Filter by user context (e.g., svc-azuredevops or github-actions) or check for the presence of CI/CD environment variables in the process environment.

• Scenario: A Windows Update or Windows Defender scan triggers a