Detects Empire component - file Invoke-PsExec.ps1

Hunt Hypothesis

The hypothesis is that the presence of the Invoke-PsExec.ps1 file indicates potential adversary use of Empire for lateral movement or command and control. SOC teams should proactively hunt for this artifact in Azure Sentinel to identify and mitigate early-stage compromise by advanced persistent threats.

YARA Rule

rule Empire_Invoke_PsExec {
   meta:
      description = "Detects Empire component - file Invoke-PsExec.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      hash1 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
   strings:
      $s1 = "Invoke-PsExecCmd" fullword ascii
      $s2 = "\"[*] Executing service .EXE" fullword ascii
      $s3 = "$cmd = \"%COMSPEC% /C echo $Command ^> %systemroot%\\Temp\\" ascii
   condition:
      ( uint16(0) == 0x7566 and filesize < 50KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to remotely execute a script on a managed Windows server using Invoke-Command as part of routine maintenance.
  Filter/Exclusion: Check for the presence of Invoke-Command in the script context, or filter by the source IP of the administrator’s workstation.

• Scenario: A scheduled job runs a PowerShell script that includes Invoke-PsExec.ps1 as part of a legitimate automation process for deploying updates.
  Filter/Exclusion: Exclude scripts that are scheduled via Task Scheduler or PowerShell Scheduled Jobs, or check for the presence of a known legitimate script path.

• Scenario: A Windows Admin Center or SCOM (System Center Operations Manager) agent is using PowerShell remoting to perform configuration tasks, which may include Invoke-PsExec.ps1 in the background.
  Filter/Exclusion: Exclude activity originating from known management tools or agents, such as Microsoft.Windows.PowerShell or SystemCenter.

• Scenario: A third-party security tool or endpoint protection software includes Invoke-PsExec.ps1 as part of its own PowerShell module or diagnostic script.
  Filter/Exclusion: Filter based on the file path or signing certificate of the script, or check for known vendor-specific script locations.

• Scenario: A DevOps pipeline (e.g., Jenkins, Azure DevOps) uses PowerShell scripts to deploy applications, and one of the scripts includes Invoke-PsExec.ps1 as part of a deployment step.
  Filter/Exclusion: Exclude scripts that are part of a CI/CD pipeline, or filter by the user account used by the pipeline (e.g., jenkins, azureuser).