Detects Empire component - from files PowerUp.ps1, PowerUp.ps1

Hunt Hypothesis

The hypothesis is that the detection of PowerUp.ps1 files may indicate the presence of an Empire component being used for initial access or privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential adversary activity early and prevent further compromise.

YARA Rule

rule Empire_PowerUp_Gen {
   meta:
      description = "Detects Empire component - from files PowerUp.ps1, PowerUp.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      super_rule = 1
      hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
   strings:
      $s1 = "$Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath" fullword ascii
      $s2 = "$Result = sc.exe pause $($TargetService.Name)" fullword ascii
   condition:
      ( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerUp.ps1 as part of a PowerShell Security Assessment to identify weak local account permissions.
  Filter/Exclusion: Check for presence of PowerUp.ps1 in known security assessment directories (e.g., C:\SecurityAssessment\), or filter by user context (e.g., User = "SecurityAdmin").

• Scenario: A scheduled job runs PowerUp.ps1 nightly to audit system permissions as part of a compliance check.
  Filter/Exclusion: Exclude events where the script is executed by a scheduled task with a known name (e.g., ComplianceAuditJob), or filter by execution time (e.g., ExecutionTime between 22:00 and 02:00).

• Scenario: An IT support tool (e.g., Microsoft Endpoint Manager or Intune) includes PowerUp.ps1 as part of a script used to gather system information for troubleshooting.
  Filter/Exclusion: Filter by process name (e.g., msiexec.exe, setup.exe) or by the presence of a known support tool directory (e.g., C:\SupportTools\).

• Scenario: A third-party security tool (e.g., CrowdStrike, SentinelOne) includes PowerUp.ps1 as part of its own detection or remediation scripts.
  Filter/Exclusion: Check for the presence of known security tool directories (e.g., C:\Program Files\CrowdStrike\) or filter by process parent (e.g., ProcessParent = "CrowdStrike.exe").

• Scenario: A Windows Update or patching script uses PowerUp.ps1 to verify system permissions before applying patches.
  Filter/Exclusion: