Detects Empire component - file Out-Minidump.ps1

Hunt Hypothesis

The hypothesis is that the presence of the Out-Minidump.ps1 file indicates potential adversarial activity associated with the Empire framework, possibly used for exfiltration or persistence. SOC teams should proactively hunt for this file in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced threats.

YARA Rule

rule Empire_Out_Minidump {
   meta:
      description = "Detects Empire component - file Out-Minidump.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      hash1 = "7803ae7ba5d4e7d38e73745b3f321c2ca714f3141699d984322fa92e0ff037a1"
   strings:
      $s1 = "$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle," fullword ascii
      $s2 = "$ProcessFileName = \"$($ProcessName)_$($ProcessId).dmp\"" fullword ascii
   condition:
      ( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: PowerShell script used for legitimate system diagnostics
  Description: A system administrator uses Out-Minidump.ps1 as part of a routine system health check or troubleshooting process.
  Filter/Exclusion: Check for presence of System.Diagnostics.StackTrace or System.Diagnostics.Process in the script, or filter by user account (e.g., User = "Admin", User = "ServiceAccount").

• Scenario: Scheduled job for log analysis
  Description: A scheduled PowerShell job runs Out-Minidump.ps1 to analyze and archive log files, which involves creating minidumps for debugging purposes.
  Filter/Exclusion: Filter by job name (e.g., JobName = "LogAnalysisJob") or by script path (e.g., ScriptPath = "C:\Tools\LogAnalysis\Out-Minidump.ps1").

• Scenario: Use of Out-Minidump.ps1 by a legitimate security tool
  Description: A security tool (e.g., Microsoft’s Windows Defender ATP or third-party EDR) uses Out-Minidump.ps1 to collect forensic data from endpoints.
  Filter/Exclusion: Check for presence of known security tool paths or process names (e.g., ProcessName = "MsDefender.exe" or ProcessName = "EDRTool.exe").

• Scenario: Admin task for memory dump collection
  Description: An administrator uses Out-Minidump.ps1 to collect memory dumps from a service or application for debugging or analysis.
  Filter/Exclusion: Filter by command-line arguments (e.g., Argument = "-dump -service") or by process name (e.g., ProcessName = "MyService.exe").

• Scenario: PowerShell module import or script execution during system update
  *