The detection of the ReflectivePick_x64_orig.dll file indicates potential adversary use of the Empire framework for reflective loading of malicious payloads. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced threat actors leveraging fileless execution techniques.
YARA Rule
rule Empire_ReflectivePick_x64_orig {
meta:
description = "Detects Empire component - file ReflectivePick_x64_orig.dll"
author = "Florian Roth"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "a8c1b108a67e7fc09f81bd160c3bafb526caf3dbbaf008efb9a96f4151756ff2"
strings:
$s1 = "\\PowerShellRunner.pdb" fullword ascii
$s2 = "PowerShellRunner.dll" fullword wide
$s3 = "ReflectivePick_x64.dll" fullword ascii
condition:
( uint16(0) == 0x5a4d and filesize < 400KB and 1 of them ) or all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: A legitimate system update or patching tool (e.g., Microsoft Update, Windows Server Update Services) deploys a file with a similar name due to naming conventions or versioning.
Filter/Exclusion: Check the file path and parent process. Exclude files located in known update directories like C:\Windows\Temp\ or C:\Windows\SoftwareDistribution\, and filter out processes from svchost.exe or wuauclt.exe.
Scenario: A security tool or endpoint protection software (e.g., CrowdStrike, Bitdefender) uses a file with a similar name during a signature update or integrity check.
Filter/Exclusion: Exclude files with known security tool signatures or located in directories like C:\Program Files\CrowdStrike\, C:\Program Files\Bitdefender\, or similar vendor-specific paths.
Scenario: A scheduled administrative task (e.g., schtasks.exe) runs a script or executable that temporarily creates a file with a similar name during a routine maintenance or configuration change.
Filter/Exclusion: Exclude files created by scheduled tasks running under SYSTEM or Administrator accounts, and filter based on the parent process being schtasks.exe or taskhost.exe.
Scenario: A legitimate software deployment tool (e.g., Microsoft System Center Configuration Manager, SCCM) deploys a file with a similar name as part of a package or application installation.
Filter/Exclusion: Exclude files located in deployment directories like C:\Windows\Temp\, C:\ProgramData\Microsoft\Windows\Temporary Internet Files\, or filter by parent process such as msiexec.exe or setup.exe.
Scenario: A developer or sysadmin manually copies or renames a file (e.g., ReflectivePick_x64_orig.dll) for testing or debugging