Detects Empire component - file Invoke-SSHCommand.ps1

Hunt Hypothesis

The hypothesis is that the presence of the Empire component file Invoke-SSHCommand.ps1 indicates potential adversary use of a known malicious PowerShell module for remote command execution. SOC teams should proactively hunt for this artifact in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced persistent threats leveraging PowerShell-based attack vectors.

YARA Rule

rule Empire_Invoke_SSHCommand {
   meta:
      description = "Detects Empire component - file Invoke-SSHCommand.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      hash1 = "cbaf086b14d5bb6a756cbda42943d4d7ef97f8277164ce1f7dd0a1843e9aa242"
   strings:
      $s1 = "$Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAA" ascii
      $s2 = "Invoke-SSHCommand -ip 192.168.1.100 -Username root -Password test -Command \"id\"" fullword ascii
      $s3 = "Write-Verbose \"[*] Error loading dll\"" fullword ascii
   condition:
      ( uint16(0) == 0x660a and filesize < 2000KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: Legitimate PowerShell script used for remote management
  Description: A system administrator uses the Invoke-SSHCommand.ps1 script as part of a legitimate remote management tool (e.g., PowerShell Remoting or a custom admin script).
  Filter/Exclusion: Check for presence of known admin tools or scripts in a trusted directory (e.g., C:\Windows\System32\WindowsPowerShell\v1.0\), or use a filter like:

  (ProcessName == "powershell.exe") and (ScriptBlockText contains "Invoke-SSHCommand.ps1") and (ProcessWorkingSetSize > 1024000)

• Scenario: Scheduled job for system maintenance
  Description: A scheduled task runs a script that includes Invoke-SSHCommand.ps1 as part of a system maintenance routine (e.g., patching, configuration sync).
  Filter/Exclusion: Filter by the task name or user context:

  (ProcessName == "schtasks.exe") or (User == "SYSTEM") or (TaskName contains "Maintenance")

• Scenario: PowerShell script used for secure remote access
  Description: A security team uses a custom script named Invoke-SSHCommand.ps1 to securely access remote systems via SSH (e.g., for incident response or forensic analysis).
  Filter/Exclusion: Check for presence of security tools or user context:

  (User == "Domain\Administrator") or (ProcessCommandLine contains "Invoke-SSHCommand.ps1 -Secure")

• Scenario: Malware analysis or sandbox environment
  Description: A security analyst is running a malware analysis tool that includes Invoke-SSHCommand.ps1 as part of a test environment.
  Filter/Exclusion: