The hypothesis is that the detection of the Empire component Invoke-SMBAutoBrute.ps1 indicates an adversary is attempting to brute-force SMB credentials to gain unauthorized access to network resources. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential compromise and prevent lateral movement within the environment.
YARA Rule
rule Empire_Invoke_SMBAutoBrute {
meta:
description = "Detects Empire component - file Invoke-SMBAutoBrute.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2"
strings:
$s1 = "[*] PDC: LAB-2008-DC1.lab.com" fullword ascii
$s2 = "$attempts = Get-UserBadPwdCount $userid $dcs" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to perform a legitimate SMB enumeration task as part of network discovery or security assessment.
Filter/Exclusion: Check for the presence of a known security tool or script (e.g., PowerShell Empire or Metasploit) in the execution chain, or filter by user context (e.g., User = "Administrator", User = "SecurityTeam") and include a comment indicating it’s a legitimate admin task.
Scenario: A scheduled job is configured to run the Invoke-SMBAutoBrute.ps1 script as part of a compliance or audit process, such as checking for weak SMB credentials across the network.
Filter/Exclusion: Include a filter for EventID = 41 (scheduled task execution) and check for a known job name or path (e.g., C:\Windows\System32\Tasks\AuditSMBJob).
Scenario: A third-party security tool (e.g., OSSEC, Tripwire, or Microsoft Defender for Endpoint) is configured to run the Invoke-SMBAutoBrute.ps1 script as part of its vulnerability scanning or log analysis process.
Filter/Exclusion: Filter by the process parent or caller (e.g., ParentProcess = "ossec.exe", ParentProcess = "msdefender.exe") or include a comment indicating it’s a known security tool.
Scenario: A Windows Update or patching script includes a call to Invoke-SMBAutoBrute.ps1 as part of a pre-update check to validate SMB connectivity across the domain.
Filter/Exclusion: Filter by the script path (e.g., `ScriptPath = “C:\