The presence of Empire components like Invoke-CredentialInjection.ps1 or Invoke-Mimikatz.ps1 indicates potential credential theft or persistence mechanisms used by adversaries to maintain access within a network. SOC teams should proactively hunt for these artifacts in Azure Sentinel to identify and mitigate advanced persistent threats that leverage PowerShell-based Empire modules for lateral movement and privilege escalation.
YARA Rule
rule Empire_PowerShell_Framework_Gen3 {
meta:
description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash3 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash4 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
strings:
$s1 = "if (($PEInfo.FileType -ieq \"DLL\") -and ($RemoteProcHandle -eq [IntPtr]::Zero))" fullword ascii
$s2 = "remote DLL injection" ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 2 string patterns in its detection logic.
Scenario: Legitimate PowerShell script for credential injection used by IT for secure credential management.
Filter/Exclusion: Check for presence of known enterprise credential management tools (e.g., vault or Azure Key Vault) in the same process or parent process.
Scenario: Scheduled job running Invoke-Mimikatz.ps1 as part of a security assessment or penetration testing exercise.
Filter/Exclusion: Filter by process name or user context (e.g., RunAs or TestUser) and check for presence of a security assessment tool or lab environment.
Scenario: System administrators using Invoke-PSInject.ps1 to inject code into a remote PowerShell session for troubleshooting.
Filter/Exclusion: Exclude processes initiated from known admin tools (e.g., PowerShell_ISE, Remote Desktop Services) or check for presence of a legitimate remote management tool (e.g., PSRemoting).
Scenario: A legitimate security tool or SIEM integration using Invoke-ReflectivePEInjection.ps1 to load a custom module for analysis.
Filter/Exclusion: Check for presence of a known security tool (e.g., OSSEC, Splunk, ELK) or verify the module is signed by a trusted enterprise CA.
Scenario: A system update or patching process that includes a PowerShell script named Invoke-CredentialInjection.ps1 for automated credential handling.
Filter/Exclusion: Exclude processes initiated by known patching tools (e.g., SCCM, WSUS, Ansible) or check for presence of a patching framework.