Detects Empire component - file KeePassConfig.ps1

Hunt Hypothesis

The detection of the KeePassConfig.ps1 file indicates potential adversary use of the Empire framework to exfiltrate or manipulate KeePass credentials. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage credential theft attempts and prevent lateral movement within the network.

YARA Rule

rule Empire_KeePassConfig {
   meta:
      description = "Detects Empire component - file KeePassConfig.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      hash1 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
   strings:
      $s1 = "$UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force | Select-Object -ExpandProperty FullName) )" fullword ascii
   condition:
      ( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerShell to automate password management with KeePass and the KeePassConfig.ps1 script as part of a scheduled job to update credentials.
  Filter/Exclusion: Exclude processes initiated by the System account or Scheduled Tasks with a known name like UpdateKeePassCredentials.

• Scenario: A DevOps pipeline runs a script that includes KeePassConfig.ps1 to securely retrieve credentials for deployment, using Azure DevOps or GitHub Actions.
  Filter/Exclusion: Exclude processes originating from CI/CD pipelines with known job names or running under service accounts like devops-pipeline.

• Scenario: An IT support tool such as Microsoft Endpoint Manager (MEM) or Microsoft Intune includes a script named KeePassConfig.ps1 to manage user credentials during onboarding.
  Filter/Exclusion: Exclude processes associated with Microsoft Endpoint Manager or Intune by checking the parent process or using process name filters like msiexec.exe or intunewin.exe.

• Scenario: A third-party security tool or SIEM integration uses KeePassConfig.ps1 to fetch credentials for logging or monitoring purposes.
  Filter/Exclusion: Exclude processes from known security tools such as Splunk, ELK Stack, or Microsoft Sentinel by checking the process name or parent process.

• Scenario: A system cleanup task runs a script that includes KeePassConfig.ps1 to remove outdated credentials, executed via Task Scheduler with a user account.
  Filter/Exclusion: Exclude processes initiated by Task Scheduler with a specific task name or user account, such as `CleanupKee