The hypothesis is that the detection of the Empire component Invoke-PostExfil.ps1 indicates potential exfiltration activity by an adversary leveraging PowerShell to transfer data out of the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate data exfiltration attempts early, especially since the low severity may mask a more significant threat.
YARA Rule
rule Empire_Invoke_PostExfil {
meta:
description = "Detects Empire component - file Invoke-PostExfil.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e"
strings:
$s1 = "# upload to a specified exfil URI" fullword ascii
$s2 = "Server path to exfil to." fullword ascii
condition:
( uint16(0) == 0x490a and filesize < 2KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to run a legitimate PowerShell script for data export, which happens to have a similar name to Invoke-PostExfil.ps1.
Filter/Exclusion: Check the script’s full path and content for known legitimate export tools (e.g., Export-Csv, Out-File) or match against a whitelist of approved scripts.
Scenario: A scheduled job is configured to run a PowerShell script that performs routine log analysis or system health checks, and the script name coincidentally matches Invoke-PostExfil.ps1.
Filter/Exclusion: Exclude scripts that are scheduled via Task Scheduler or PowerShell Scheduled Tasks, or check the script’s content for known log analysis commands.
Scenario: A Windows Update or Microsoft Intune deployment includes a PowerShell script that is used to configure devices, and the script name matches Invoke-PostExfil.ps1.
Filter/Exclusion: Exclude scripts that are deployed via Group Policy, Intune, or Windows Update and are signed by Microsoft or enterprise-approved publishers.
Scenario: A security tool like OSSEC or Splunk runs a PowerShell script for log parsing, and the script name is similar to Invoke-PostExfil.ps1.
Filter/Exclusion: Exclude scripts that are associated with known security tools or have a signature indicating they are part of a SIEM or log management system.
Scenario: A third-party application (e.g., Microsoft SQL Server or Exchange) uses PowerShell for automation and the script name matches Invoke-PostExfil.ps1.
Filter/Exclusion: Exclude scripts that are executed in the context of known enterprise applications or have a file path that includes the application’s installation directory.