Detects Empire component - file PowerUp.ps1

Hunt Hypothesis

The detection of the PowerUp.ps1 file indicates potential adversary use of Empire for initial access or privilege escalation. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage compromise attempts by advanced persistent threats.

YARA Rule

rule Empire__Users_neo_code_Workspace_Empire_4sigs_PowerUp {
   meta:
      description = "Detects Empire component - file PowerUp.ps1"
      author = "Florian Roth"
      reference = "https://github.com/adaptivethreat/Empire"
      date = "2016-11-05"
      hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
   strings:
      $x2 = "$PoolPasswordCmd = 'c:\\windows\\system32\\inetsrv\\appcmd.exe list apppool" fullword ascii
   condition:
      ( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 2 string patterns in its detection logic.

References

• https://github.com/adaptivethreat/Empire
• Source Rule

False Positive Guidance

• Scenario: A system administrator is using PowerUp.ps1 as part of a PowerShell Security Assessment to identify privilege escalation opportunities.
  Filter/Exclusion: Check for the presence of a known security tool or script in the execution path, such as C:\SecurityTools\PowerUp.ps1, or filter by the user account (e.g., User = "SecurityAdmin").

• Scenario: A scheduled job runs PowerUp.ps1 nightly to audit user permissions and ensure compliance with internal policies.
  Filter/Exclusion: Filter by the job name or path, such as C:\Windows\Tasks\PowerUpAudit.job, or check the execution context against a known job scheduler (e.g., schtasks.exe).

• Scenario: A third-party security tool (e.g., Microsoft Defender for Endpoint or CrowdStrike Falcon) includes PowerUp.ps1 as part of its detection or remediation process.
  Filter/Exclusion: Check for the presence of a known security tool’s execution context or use a signature-based filter for the tool’s process name or parent process.

• Scenario: A Windows Admin Center (WAC) or PowerShell ISE session is used by a privileged user to run PowerUp.ps1 for routine system hardening.
  Filter/Exclusion: Filter by the process name (powershell.exe with PowerShell_ISE.exe as parent) or by the user’s role (e.g., User = "DomainAdmin").

• Scenario: A Windows Update or patching script includes PowerUp.ps1 to verify system integrity post-patching.
  Filter/Exclusion: Filter by the script path (e.g., C:\Windows\PatchVerification\PowerUp.ps1) or by the presence of a