The hypothesis is that the detection of the Empire component Invoke-SmbScanner.ps1 indicates potential adversary use of a PowerShell-based tool for network scanning, which may be part of an initial reconnaissance or lateral movement phase. A SOC team should proactively hunt for this behavior in Azure Sentinel to identify early-stage adversary activity and prevent further network compromise.
YARA Rule
rule Empire_Invoke_SmbScanner {
meta:
description = "Detects Empire component - file Invoke-SmbScanner.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd"
strings:
$s1 = "$up = Test-Connection -count 1 -Quiet -ComputerName $Computer " fullword ascii
$s2 = "$out | add-member Noteproperty 'Password' $Password" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A system administrator is using PowerShell to perform a legitimate SMB file scan using a script named Invoke-SmbScanner.ps1 as part of a routine system health check.
Filter/Exclusion: Check for the presence of a known legitimate script path or use a regex to exclude scripts located in trusted directories like C:\Windows\System32\ or C:\Program Files\.
Scenario: A scheduled job runs a script named Invoke-SmbScanner.ps1 to scan network shares for outdated files, as part of a backup or compliance process.
Filter/Exclusion: Exclude processes initiated by the Task Scheduler or check for the presence of a known job name or user account associated with the scheduled task.
Scenario: A security tool such as OSSEC or Microsoft Defender for Endpoint uses a script named Invoke-SmbScanner.ps1 to perform network discovery or asset inventory.
Filter/Exclusion: Exclude processes initiated by known security tools or check for the presence of a specific process name or parent process associated with the security tool.
Scenario: A Windows Update or System Update process temporarily executes a script named Invoke-SmbScanner.ps1 to scan for updates across the network.
Filter/Exclusion: Exclude processes initiated by the Windows Update service or check for the presence of a specific service name like wuauserv.
Scenario: A DevOps pipeline or CI/CD tool (e.g., Jenkins, Azure DevOps) runs a script named Invoke-SmbScanner.ps1 to scan for code changes or artifacts in shared network folders.
Filter/Exclusion: Exclude processes initiated by known CI/CD tools or check for the presence of a specific user account or group associated with the DevOps environment