The detection identifies potential Empire module usage through the presence of specific PowerShell scripts commonly associated with credential injection and reflective injection techniques. SOC teams should proactively hunt for these artifacts to identify early-stage adversary activity and prevent lateral movement or persistence in their Azure Sentinel environment.
YARA Rule
rule Empire_PowerShell_Framework_Gen5 {
meta:
description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
strings:
$s1 = "if ($ExeArgs -ne $null -and $ExeArgs -ne '')" fullword ascii
$s2 = "$ExeArgs = \"ReflectiveExe $ExeArgs\"" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 1000KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Legitimate PowerShell script used for credential management in a DevOps pipeline
Filter/Exclusion: Check for presence of DevOps or CI/CD in the script’s file path or content, and ensure the script is located in a known DevOps directory (e.g., C:\DevOps\scripts\).
Example Filter: file_path contains "DevOps" or "CI/CD"
Scenario: Scheduled job running a PowerShell script for system maintenance
Filter/Exclusion: Verify the script is associated with a known maintenance task (e.g., System Maintenance, Disk Cleanup) and is scheduled via Task Scheduler with a known user context.
Example Filter: process_name contains "schtasks" or "Task Scheduler" and file_path contains "System Maintenance"
Scenario: Admin task using Invoke-PSInject to load a module for remote debugging
Filter/Exclusion: Confirm the script is part of a known remote debugging setup (e.g., Remote Debugging Tools, Visual Studio) and is executed by a trusted admin account.
Example Filter: user_account contains "Domain\Admin" and file_path contains "Remote Debugging"
Scenario: PowerShell script used for legitimate PE injection during application deployment
Filter/Exclusion: Check for presence of deployment tools (e.g., Chocolatey, NuGet, Docker) in the script’s content or execution context.
Example Filter: file_path contains "Chocolatey" or "NuGet" or "Docker"
Scenario: Script used for code injection during testing or penetration testing
Filter/Exclusion: Ensure the script is part of a known testing framework (e.g., Metasploit, PowerSploit) and executed in a controlled test environment.
**Example Filter