Adversaries may use these Empire components to exfiltrate credentials or execute persistence mechanisms within the network. SOC teams should proactively hunt for these artifacts to identify potential credential theft or lateral movement activities in their Azure Sentinel environment.
YARA Rule
rule Empire_PowerShell_Framework_Gen2 {
meta:
description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-CredentialInjection.ps1, Invoke-DCSync.ps1, Invoke-DCSync.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1, Invoke-ReflectivePEInjection.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash3 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash5 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash6 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash8 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
strings:
$x1 = "$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)" fullword ascii
$s20 = "#Shellcode: CallDllMain.asm" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A legitimate scheduled job runs Invoke-PSInject.ps1 to inject code into a service for patching purposes.
Filter/Exclusion: Check the file path and process origin. Exclude if the script is located in a known patching directory (e.g., C:\PatchTools\) and initiated by a trusted scheduled job.
Scenario: An admin uses Invoke-CredentialInjection.ps1 to securely transfer credentials between servers during a routine configuration sync.
Filter/Exclusion: Exclude if the script is executed from a known admin tool directory (e.g., C:\AdminTools\) and the user has elevated privileges and a documented need for credential injection.
Scenario: A security tool or endpoint protection software runs Invoke-DCSync.ps1 as part of a domain monitoring or compliance check.
Filter/Exclusion: Exclude if the script is executed by a known security tool (e.g., Microsoft Defender for Identity) and the process is associated with a trusted security service.
Scenario: A DevOps pipeline executes Invoke-Mimikatz.ps1 to test credential extraction in a controlled environment for security validation.
Filter/Exclusion: Exclude if the script is run in a sandboxed or test environment (e.g., C:\DevOps\Testing\) and the execution is part of an approved security testing workflow.
Scenario: A system administrator uses Invoke-PSInject.ps1 to deploy a custom module to a remote PowerShell session for troubleshooting.
Filter/Exclusion: Exclude if the script is executed from a known admin script directory (e.g., C:\AdminScripts\) and the user has a documented administrative task involving remote PowerShell execution.