Detects Empire component - file Invoke-ShellcodeMSIL.ps1

Hunt Hypothesis

The hypothesis is that the detection of the Empire component Invoke-ShellcodeMSIL.ps1 indicates potential adversary use of a PowerShell-based payload to execute arbitrary code, leveraging the Empire framework for initial access or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversarial activity that may evade traditional detection methods.

YARA Rule

rule Empire_Invoke_ShellcodeMSIL {
   meta:
      description = "Detects Empire component - file Invoke-ShellcodeMSIL.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      hash1 = "9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f"
   strings:
      $s1 = "$FinalShellcode.Length" fullword ascii
      $s2 = "@(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)" fullword ascii
      $s3 = "@(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57," fullword ascii
      $s4 = "$TargetMethod.Invoke($null, @(0x11112222)) | Out-Null" fullword ascii
   condition:
      ( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to run a legitimate PowerShell script for system maintenance, which includes the string Invoke-ShellcodeMSIL.ps1 in its content due to a third-party module or script.

  Filter/Exclusion: Check for presence of known legitimate PowerShell modules or scripts, or use a filter like process.name != "powershell.exe" or script.name != "Invoke-ShellcodeMSIL.ps1".

• Scenario: A scheduled job is configured to run a script that includes the string Invoke-ShellcodeMSIL.ps1 as part of a PowerShell module import or script inclusion.

  Filter/Exclusion: Exclude processes associated with Task Scheduler or scheduled jobs using process.parent.name == "schtasks.exe" or process.name == "schtasks.exe".

• Scenario: A Windows Admin Center or PowerShell ISE session is used to run a script that contains the string Invoke-ShellcodeMSIL.ps1 due to a script alias or module reference.

  Filter/Exclusion: Exclude processes associated with Windows Admin Center or PowerShell ISE using process.name == "pwsh.exe" or process.name == "powershell_ise.exe".

• Scenario: A Windows Update or Microsoft Intune deployment includes a script that references Invoke-ShellcodeMSIL.ps1 as part of a custom script or configuration package.

  Filter/Exclusion: Exclude processes related to Windows Update or Intune using process.name == "wuauclt.exe" or process.name == "msiexec.exe".

• Scenario: A DevOps pipeline (e.g., Azure DevOps, GitHub Actions) runs a