Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1

Hunt Hypothesis

The hypothesis is that the detection of Invoke-Portscan.ps1 files indicates potential reconnaissance activity by an adversary scanning network ports to identify vulnerable services. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage adversary presence and prevent further network exploration.

YARA Rule

rule Empire_Invoke_Portscan_Gen {
   meta:
      description = "Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      super_rule = 1
      hash2 = "cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3"
   strings:
      $s1 = "Test-Port -h $h -p $Port -timeout $Timeout" fullword ascii
      $s2 = "1 {$nHosts=10;  $Threads = 32;   $Timeout = 5000 }" fullword ascii
   condition:
      ( uint16(0) == 0x7566 and filesize < 100KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task uses Invoke-Portscan.ps1 to check for open ports during routine network health checks.
  Filter/Exclusion: Exclude processes initiated by a known scheduled task (e.g., TaskScheduler or schtasks.exe) with a specific task name like NetworkHealthCheck.

• Scenario: PowerShell Script for Network Monitoring
  Description: A security team uses a custom PowerShell script named Invoke-Portscan.ps1 to monitor internal network traffic for anomalies.
  Filter/Exclusion: Exclude processes running from a known secure directory (e.g., C:\SecurityTools\) or with a specific user context (e.g., NT AUTHORITY\SYSTEM).

• Scenario: Admin Task to Test Firewall Rules
  Description: An administrator runs Invoke-Portscan.ps1 to test if certain ports are open or closed as part of firewall rule validation.
  Filter/Exclusion: Exclude processes initiated by a specific admin account (e.g., Administrator) or from a known admin tool (e.g., PowerShell.exe launched via runas).

• Scenario: Legitimate Third-Party Compliance Tool
  Description: A third-party compliance tool includes a script named Invoke-Portscan.ps1 to validate network configurations during audits.
  Filter/Exclusion: Exclude processes with a specific parent process (e.g., ComplianceTool.exe) or that match a known vendor’s script signature.

• Scenario: PowerShell Module for Port Scanning
  Description: A company’s internal PowerShell module includes a function named Invoke-Portscan that is used for internal port scanning during infrastructure setup.
  Filter/Exclusion: Exclude processes that are part of a known internal module (e.g., `C:\Modules\