The hypothesis is that the detection of the Empire component Invoke-PowerDump.ps1 indicates potential post-exploitation activity by an adversary seeking to exfiltrate data or establish persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate advanced persistent threats that may be leveraging Empire for data extraction or command and control operations.
YARA Rule
rule Empire_Invoke_PowerDump {
meta:
description = "Detects Empire component - file Invoke-PowerDump.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1"
strings:
$x16 = "$enc = Get-PostHashdumpScript" fullword ascii
$x19 = "$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;" fullword ascii
$x20 = "$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);" fullword ascii
condition:
( uint16(0) == 0x2023 and filesize < 60KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to perform a legitimate PowerShell script debugging session involving the Invoke-PowerDump cmdlet as part of a script development or testing environment.
Filter/Exclusion: Check for presence of a known development environment or script repository path, or filter by user (e.g., User = "DevUser").
Scenario: A scheduled job runs a script that includes Invoke-PowerDump.ps1 as part of a log analysis or data export process using PowerShell.
Filter/Exclusion: Filter by job name or schedule (e.g., JobName = "DailyLogExport"), or check for presence of a known log processing tool like LogParser or PowerShell Data Export Tool.
Scenario: A third-party security tool or endpoint detection and response (EDR) platform uses PowerShell scripts like Invoke-PowerDump.ps1 for system diagnostics or forensic analysis.
Filter/Exclusion: Check for presence of known EDR or security tool paths (e.g., C:\Program Files\EDRTool\), or filter by process name (e.g., Process = "EDRTool.exe").
Scenario: A Windows Update or patching task runs a script that includes Invoke-PowerDump.ps1 as part of a system health check or inventory process.
Filter/Exclusion: Filter by process name (e.g., Process = "WindowsUpdate.exe"), or check for presence of a known patching tool like Microsoft Update Assistant or SCOM.
Scenario: A system cleanup or disk cleanup task uses PowerShell to run Invoke-PowerDump.ps1 as part of a temporary diagnostic or cleanup script.