The hypothesis is that the detected PowerShell scripts are associated with Empire, an advanced persistent threat framework, and may indicate credential theft, lateral movement, or memory-based attack techniques. SOC teams should proactively hunt for these artifacts in Azure Sentinel to identify potential compromise and mitigate the risk of further exploitation.
YARA Rule
rule Empire_PowerShell_Framework_Gen1 {
meta:
description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash3 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash4 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash5 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
strings:
$s1 = "Write-BytesToMemory -Bytes $Shellcode" ascii
$s2 = "$GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate PowerShell script for credential injection in a DevOps pipeline
Description: A DevOps team uses Invoke-CredentialInjection.ps1 as part of a CI/CD pipeline to securely inject credentials into a build process.
Filter/Exclusion: Check for presence of DevOps or CI/CD in the script path or command line arguments. Exclude files located in known DevOps tooling directories (e.g., C:\AzureDevOps\).
Scenario: Scheduled job using Invoke-DCSync.ps1 for domain synchronization
Description: An enterprise uses Invoke-DCSync.ps1 as part of a scheduled job to synchronize domain controllers during off-peak hours.
Filter/Exclusion: Filter by execution time (e.g., only trigger alerts if executed outside of scheduled maintenance windows). Exclude processes running under a known domain sync service account.
Scenario: Mimikatz usage for forensic analysis by security team
Description: A security analyst uses Invoke-Mimikatz.ps1 to extract credentials from memory as part of a forensic investigation.
Filter/Exclusion: Exclude processes initiated by the security team’s service account (e.g., SecurityOps). Check for presence of Forensic or Investigation in the command line.
Scenario: PSInject used for legitimate remote process injection for debugging
Description: A developer uses Invoke-PSInject.ps1 to inject a debugging script into a remote process for troubleshooting application behavior.
Filter/Exclusion: Exclude processes initiated from known development tools (e.g., Visual Studio, Debuggers). Check for presence of Debug or Test in the command line.
Scenario: Reflective PE Injection used in a signed, enterprise-approved payload
Description: A red team or internal team uses `Invoke-