Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1

Hunt Hypothesis

The hypothesis is that an adversary is leveraging PowerShell scripts associated with the Empire framework to establish initial access or execute malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of credentials or sensitive data stored in KeePass configurations.

YARA Rule

rule Empire_KeePassConfig_Gen {
   meta:
      description = "Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      super_rule = 1
      hash2 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
   strings:
      $s1 = "$KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)" fullword ascii
   condition:
      ( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using KeePass to manage passwords and has a legitimate KeePassConfig.ps1 script used for configuration purposes.
  Filter/Exclusion: Check for presence of KeePass in the file path or content, or exclude files located in the KeePass installation directory.

• Scenario: A scheduled job runs a PowerShell script named KeePassConfig.ps1 as part of a Microsoft Intune or Microsoft Endpoint Manager configuration task.
  Filter/Exclusion: Exclude files executed by scheduled tasks under the Microsoft or Intune service accounts, or filter based on the parent process name.

• Scenario: A Windows Update or Group Policy deployment script uses a file named KeePassConfig.ps1 to configure password managers across the environment.
  Filter/Exclusion: Exclude files executed during system update processes or by the GroupPolicy or wuauclt processes.

• Scenario: A PowerShell module or script module (e.g., from Pester or PSReadLine) has a file named KeePassConfig.ps1 as part of its module structure.
  Filter/Exclusion: Exclude files located in known module directories such as C:\Program Files\WindowsPowerShell\Modules or C:\Users\*\Documents\WindowsPowerShell\Modules.

• Scenario: A third-party tool like Bitdefender or Kaspersky uses a script named KeePassConfig.ps1 as part of its configuration or remediation process.
  Filter/Exclusion: Exclude files with known vendor signatures or executed by the parent process of the security tool (e.g., Bitdefender or Kaspersky).