YARA rules for Empire
44 rules · scoped to tool · back to Empire
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.
rule Empire_Invoke_BypassUAC {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "ab0f900a6915b7497313977871a64c3658f3e6f73f11b03d2d33ca61305dc6a8"
id = "8454d929-e184-5be1-b61f-4dfa8f44bdda"
strings:
$s1 = "$WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory" fullword ascii
$s2 = "$proc = Start-Process -WindowStyle Hidden notepad.exe -PassThru" fullword ascii
$s3 = "$Payload = Invoke-PatchDll -DllBytes $Payload -FindString \"ExitThread\" -ReplaceString \"ExitProcess\"" fullword ascii
$s4 = "$temp = [System.Text.Encoding]::UNICODE.GetBytes($szTempDllPath)" fullword ascii
condition:
filesize < 1200KB and 3 of them
}
rule Empire_lib_modules_trollsploit_message {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file message.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "71f2258177eb16eafabb110a9333faab30edacf67cb019d5eab3c12d095655d5"
id = "cb0eee5a-c236-512e-8256-7411a7fb1fd5"
strings:
$s1 = "script += \" -\" + str(option) + \" \\\"\" + str(values['Value'].strip(\"\\\"\")) + \"\\\"\"" fullword ascii
$s2 = "if option.lower() != \"agent\" and option.lower() != \"computername\":" fullword ascii
$s3 = "[String] $Title = 'ERROR - 0xA801B720'" fullword ascii
$s4 = "'Value' : 'Lost contact with the Domain Controller.'" fullword ascii
condition:
filesize < 10KB and 3 of them
}
rule Empire_Persistence {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Persistence.psm1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "ae8875f7fcb8b4de5cf9721a9f5a9f7782f7c436c86422060ecdc5181e31092f"
id = "0f63b5f4-f933-5821-b0b0-50717e75f6d9"
strings:
$s1 = "C:\\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -V" ascii
$s2 = "# Execute the following to remove the user-level persistent payload" fullword ascii
$s3 = "$PersistantScript = $PersistantScript.ToString().Replace('EXECUTEFUNCTION', \"$PersistenceScriptName -Persist\")" fullword ascii
condition:
filesize < 108KB and 1 of them
}
rule Empire_portscan {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file portscan.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "b355efa1e7b3681b1402e22c58ce968795ef245fd08a0afb948d45c173e60b97"
id = "23a0f769-9155-5aa0-9200-2baf827bdda4"
strings:
$s1 = "script += \"Invoke-PortScan -noProgressMeter -f\"" fullword ascii
$s2 = "script += \" | ? {$_.alive}| Select-Object HostName,@{name='OpenPorts';expression={$_.openPorts -join ','}} | ft -wrap | Out-Str" ascii
condition:
filesize < 14KB and all of them
}
rule Empire_Invoke_Shellcode {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438"
id = "41788f71-cc99-50b3-bdc7-17b132ab2767"
strings:
$s1 = "C:\\PS> Invoke-Shellcode -ProcessId $Proc.Id -Payload windows/meterpreter/reverse_https -Lhost 192.168.30.129 -Lport 443 -Verbos" ascii
$s2 = "\"Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!\" ) )" fullword ascii
$s3 = "$RemoteMemAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX)" fullword ascii
condition:
filesize < 100KB and 1 of them
}
rule Empire_Invoke_Mimikatz {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "c5481864b757837ecbc75997fa24978ffde3672b8a144a55478ba9a864a19466"
id = "f7d6c1c4-2a24-54fd-b745-32d7894affc8"
strings:
$s1 = "$PEBytes64 = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwc" ascii
$s2 = "[System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)" fullword ascii
$s3 = "Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp" fullword ascii
condition:
filesize < 2500KB and 2 of them
}
rule Empire_lib_modules_credentials_mimikatz_pth {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file pth.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "6dee1cf931e02c5f3dc6889e879cc193325b39e18409dcdaf987b8bf7c459211"
id = "f954b7e8-e820-5111-ba8d-a9b9779381b0"
strings:
$s0 = "(credID, credType, domainName, userName, password, host, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]" fullword ascii
$s1 = "command = \"sekurlsa::pth /user:\"+self.options[\"user\"]['Value']" fullword ascii
condition:
filesize < 12KB and all of them
}
rule Empire_Write_HijackDll {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file Write-HijackDll.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "155fa7168e28f15bb34f67344f47234a866e2c63b3303422ff977540623c70bf"
id = "6a80af21-fb01-5996-b14d-44ff55b7fb3e"
strings:
$s1 = "$DllBytes = Invoke-PatchDll -DllBytes $DllBytes -FindString \"debug.bat\" -ReplaceString $BatchPath" fullword ascii
$s2 = "$DllBytes32 = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBw" ascii
$s3 = "[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)" fullword ascii
condition:
filesize < 500KB and 2 of them
}
rule Empire_skeleton_key {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file skeleton_key.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "3d02f16dcc38faaf5e97e4c5dbddf761f2816004775e6af8826cde9e29bb750f"
id = "d508e09e-13e8-5866-bb5b-0d886f960bb5"
strings:
$s1 = "script += \"Invoke-Mimikatz -Command '\\\"\" + command + \"\\\"';\"" fullword ascii
$s2 = "script += '\"Skeleton key implanted. Use password \\'mimikatz\\' for access.\"'" fullword ascii
$s3 = "command = \"misc::skeleton\"" fullword ascii
$s4 = "\"ONLY APPLICABLE ON DOMAIN CONTROLLERS!\")," fullword ascii
condition:
filesize < 6KB and 2 of them
}
rule Empire_invoke_wmi {
meta:
description = "Empire - a pure PowerShell post-exploitation agent - file invoke_wmi.py"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/PowerShellEmpire/Empire"
date = "2015-08-06"
score = 70
hash = "a914cb227f652734a91d3d39745ceeacaef7a8b5e89c1beedfd6d5f9b4615a1d"
id = "1e1d1e71-6ea9-500a-b8b8-c48a64bc2b54"
strings:
$s1 = "(credID, credType, domainName, userName, password, host, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]" fullword ascii
$s2 = "script += \";'Invoke-Wmi executed on \" +computerNames +\"'\"" fullword ascii
$s3 = "script = \"$PSPassword = \\\"\"+password+\"\\\" | ConvertTo-SecureString -asPlainText -Force;$Credential = New-Object System.Man" ascii
condition:
filesize < 20KB and 2 of them
}
rule Empire_Invoke_MetasploitPayload {
meta:
description = "Detects Empire component - file Invoke-MetasploitPayload.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "a85ca27537ebeb79601b885b35ddff6431860b5852c6a664d32a321782808c54"
id = "608c30b0-826a-55b1-afb8-756b476d6b55"
strings:
$s1 = "$ProcessInfo.Arguments=\"-nop -c $DownloadCradle\"" fullword ascii
$s2 = "$PowershellExe=$env:windir+'\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 9KB and 1 of them ) or all of them
}
rule Empire_Exploit_Jenkins {
meta:
description = "Detects Empire component - file Exploit-Jenkins.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "a5182cccd82bb9984b804b365e07baba78344108f225b94bd12a59081f680729"
id = "f2162783-34cd-5db4-bd1c-6c58feb92e77"
strings:
$s1 = "$postdata=\"script=println+new+ProcessBuilder%28%27\"+$($Cmd)+\"" ascii
$s2 = "$url = \"http://\"+$($Rhost)+\":\"+$($Port)+\"/script\"" fullword ascii
$s3 = "$Cmd = [System.Web.HttpUtility]::UrlEncode($Cmd)" fullword ascii
condition:
( uint16(0) == 0x6620 and filesize < 7KB and 1 of them ) or all of them
}
rule Empire_Get_SecurityPackages {
meta:
description = "Detects Empire component - file Get-SecurityPackages.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "5d06e99121cff9b0fce74b71a137501452eebbcd1e901b26bde858313ee5a9c1"
id = "a109eda1-a26d-5cf6-b6b5-1a1a1e770a0a"
strings:
$s1 = "$null = $EnumBuilder.DefineLiteral('LOGON', 0x2000)" fullword ascii
$s2 = "$EnumBuilder = $ModuleBuilder.DefineEnum('SSPI.SECPKG_FLAG', 'Public', [Int32])" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them
}
rule Empire_Invoke_PowerDump {
meta:
description = "Detects Empire component - file Invoke-PowerDump.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "095c5cf5c0c8a9f9b1083302e2ba1d4e112a410e186670f9b089081113f5e0e1"
id = "d1082a4e-d458-57fb-b332-7c775c8ef2dd"
strings:
$x16 = "$enc = Get-PostHashdumpScript" fullword ascii
$x19 = "$lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;" fullword ascii
$x20 = "$rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);" fullword ascii
condition:
( uint16(0) == 0x2023 and filesize < 60KB and 1 of them ) or all of them
}
rule Empire_Install_SSP {
meta:
description = "Detects Empire component - file Install-SSP.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "7fd921a23950334257dda57b99e03c1e1594d736aab2dbfe9583f99cd9b1d165"
id = "06bbdcc5-c48b-5753-88a2-5c962d1b986f"
strings:
$s1 = "Install-SSP -Path .\\mimilib.dll" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 20KB and 1 of them ) or all of them
}
rule Empire_Invoke_ShellcodeMSIL {
meta:
description = "Detects Empire component - file Invoke-ShellcodeMSIL.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9a9c6c9eb67bde4a8ce2c0858e353e19627b17ee2a7215fa04a19010d3ef153f"
id = "06011b51-bad7-5656-ac37-e49f9b6d0498"
strings:
$s1 = "$FinalShellcode.Length" fullword ascii
$s2 = "@(0x60,0xE8,0x04,0,0,0,0x61,0x31,0xC0,0xC3)" fullword ascii
$s3 = "@(0x41,0x54,0x41,0x55,0x41,0x56,0x41,0x57," fullword ascii
$s4 = "$TargetMethod.Invoke($null, @(0x11112222)) | Out-Null" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule HKTL_Empire_PowerUp {
meta:
description = "Detects Empire component - file PowerUp.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
id = "e79d093e-7481-52a3-a350-4d1b6d8955cd"
strings:
$x2 = "$PoolPasswordCmd = 'c:\\windows\\system32\\inetsrv\\appcmd.exe list apppool" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them
}
rule Empire_Invoke_Mimikatz_Gen {
meta:
description = "Detects Empire component - file Invoke-Mimikatz.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
id = "1f771a17-2534-5811-80bd-bc1bab37d97c"
strings:
$s1 = "= \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQ" ascii
$s2 = "Invoke-Command -ScriptBlock $RemoteScriptBlock -ArgumentList @($PEBytes64, $PEBytes32, \"Void\", 0, \"\", $ExeArgs)" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Get_GPPPassword {
meta:
description = "Detects Empire component - file Get-GPPPassword.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "55a4519c4f243148a971e4860225532a7ce730b3045bde3928303983ebcc38b0"
id = "7791b009-19d3-5d08-8ef7-4723d28830ed"
strings:
$s1 = "$Base64Decoded = [Convert]::FromBase64String($Cpassword)" fullword ascii
$s2 = "$XMlFiles += Get-ChildItem -Path \"\\\\$DomainController\\SYSVOL\" -Recurse" ascii
$s3 = "function Get-DecryptedCpassword {" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule Empire_Invoke_SmbScanner {
meta:
description = "Detects Empire component - file Invoke-SmbScanner.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9a705f30766279d1e91273cfb1ce7156699177a109908e9a986cc2d38a7ab1dd"
id = "63cd048b-04fd-5b4f-9d4d-3a001c31b4df"
strings:
$s1 = "$up = Test-Connection -count 1 -Quiet -ComputerName $Computer " fullword ascii
$s2 = "$out | add-member Noteproperty 'Password' $Password" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_Exploit_JBoss {
meta:
description = "Detects Empire component - file Exploit-JBoss.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "9ea3e00b299e644551d90bbee0ce3e4e82445aa15dab7adb7fcc0b7f1fe4e653"
id = "a9c75cf5-9469-5a45-b750-69728ed0069f"
strings:
$s1 = "Exploit-JBoss" fullword ascii
$s2 = "$URL = \"http$($SSL)://\" + $($Rhost) + ':' + $($Port)" ascii
$s3 = "\"/jmx-console/HtmlAdaptor?action=invokeOp&name=jboss.system:service" ascii
$s4 = "http://blog.rvrsh3ll.net" fullword ascii
$s5 = "Remote URL to your own WARFile to deploy." fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_dumpCredStore {
meta:
description = "Detects Empire component - file dumpCredStore.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "c1e91a5f9cc23f3626326dab2dcdf4904e6f8a332e2bce8b9a0854b371c2b350"
id = "cdb87ed4-fa90-5724-b37d-97cf8e4b8326"
strings:
$x1 = "[DllImport(\"Advapi32.dll\", SetLastError = true, EntryPoint = \"CredReadW\"" ascii
$s12 = "[String] $Msg = \"Failed to enumerate credentials store for user '$Env:UserName'\"" fullword ascii
$s15 = "Rtn = CredRead(\"Target\", CRED_TYPE.GENERIC, out Cred);" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 40KB and 1 of them ) or all of them
}
rule Empire_Invoke_EgressCheck {
meta:
description = "Detects Empire component - file Invoke-EgressCheck.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "e2d270266abe03cfdac66e6fc0598c715e48d6d335adf09a9ed2626445636534"
id = "21e09250-6853-5743-a6ef-aa6be8091d33"
strings:
$s1 = "egress -ip $ip -port $c -delay $delay -protocol $protocol" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_ReflectivePick_x64_orig {
meta:
description = "Detects Empire component - file ReflectivePick_x64_orig.dll"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
modified = "2022-12-21"
hash1 = "a8c1b108a67e7fc09f81bd160c3bafb526caf3dbbaf008efb9a96f4151756ff2"
id = "cd69a149-d881-5f93-9647-84241bd96ba5"
strings:
$a1 = "\\PowerShellRunner.pdb" ascii
$a2 = "PowerShellRunner.dll" fullword wide
$s1 = "ReflectivePick" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 400KB and 1 of ($a*) and $s1
}
rule Empire_Out_Minidump {
meta:
description = "Detects Empire component - file Out-Minidump.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "7803ae7ba5d4e7d38e73745b3f321c2ca714f3141699d984322fa92e0ff037a1"
id = "8c53d2ab-afc5-5d7b-97e1-496425b9664f"
strings:
$s1 = "$Result = $MiniDumpWriteDump.Invoke($null, @($ProcessHandle," fullword ascii
$s2 = "$ProcessFileName = \"$($ProcessName)_$($ProcessId).dmp\"" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 10KB and 1 of them ) or all of them
}
rule Empire_Invoke_PsExec {
meta:
description = "Detects Empire component - file Invoke-PsExec.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
id = "19aaec3e-3e8f-5d7d-9c70-a212756c0300"
strings:
$s1 = "Invoke-PsExecCmd" fullword ascii
$s2 = "\"[*] Executing service .EXE" fullword ascii
$s3 = "$cmd = \"%COMSPEC% /C echo $Command ^> %systemroot%\\Temp\\" ascii
condition:
( uint16(0) == 0x7566 and filesize < 50KB and 1 of them ) or all of them
}
rule Empire_Invoke_PostExfil {
meta:
description = "Detects Empire component - file Invoke-PostExfil.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "00c0479f83c3dbbeff42f4ab9b71ca5fe8cd5061cb37b7b6861c73c54fd96d3e"
id = "58d9e057-efde-56ab-9b7e-982342a910e2"
strings:
$s1 = "# upload to a specified exfil URI" fullword ascii
$s2 = "Server path to exfil to." fullword ascii
condition:
( uint16(0) == 0x490a and filesize < 2KB and 1 of them ) or all of them
}
rule Empire_Invoke_SMBAutoBrute {
meta:
description = "Detects Empire component - file Invoke-SMBAutoBrute.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "7950f8abdd8ee09ed168137ef5380047d9d767a7172316070acc33b662f812b2"
id = "a6b402ac-0925-5bc6-9d6a-b2b811496f9e"
strings:
$s1 = "[*] PDC: LAB-2008-DC1.lab.com" fullword ascii
$s2 = "$attempts = Get-UserBadPwdCount $userid $dcs" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule Empire_Get_Keystrokes {
meta:
description = "Detects Empire component - file Get-Keystrokes.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "c36e71db39f6852f78df1fa3f67e8c8a188bf951e96500911e9907ee895bf8ad"
id = "7fb57a0d-6b65-5ee8-96ef-9af303f15007"
strings:
$s1 = "$RightMouse = ($ImportDll::GetAsyncKeyState([Windows.Forms.Keys]::RButton) -band 0x8000) -eq 0x8000" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 30KB and 1 of them ) or all of them
}
rule Empire_Invoke_DllInjection {
meta:
description = "Detects Empire component - file Invoke-DllInjection.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0"
id = "6aa14e8f-9801-5cd3-beb0-955e19d25503"
strings:
$s1 = "-Dll evil.dll" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 40KB and 1 of them ) or all of them
}
rule Empire_KeePassConfig {
meta:
description = "Detects Empire component - file KeePassConfig.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
id = "814a6ff9-a6ac-55e7-bb3f-597351ce421d"
strings:
$s1 = "$UserMasterKeyFiles = @(, $(Get-ChildItem -Path $UserMasterKeyFolder -Force | Select-Object -ExpandProperty FullName) )" fullword ascii
condition:
( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them
}
rule Empire_Invoke_SSHCommand {
meta:
description = "Detects Empire component - file Invoke-SSHCommand.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
hash1 = "cbaf086b14d5bb6a756cbda42943d4d7ef97f8277164ce1f7dd0a1843e9aa242"
id = "b06b507f-b6b8-5f4b-8d6d-920f141e9ac1"
strings:
$s1 = "$Base64 = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAA" ascii
$s2 = "Invoke-SSHCommand -ip 192.168.1.100 -Username root -Password test -Command \"id\"" fullword ascii
$s3 = "Write-Verbose \"[*] Error loading dll\"" fullword ascii
condition:
( uint16(0) == 0x660a and filesize < 2000KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen1 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash3 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash4 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash5 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "8fdb48a0-5d40-55be-ae23-e9c8c4c2ecea"
strings:
$s1 = "Write-BytesToMemory -Bytes $Shellcode" ascii
$s2 = "$GetCommandLineAAddrTemp = Add-SignedIntAsUnsigned $GetCommandLineAAddrTemp ($Shellcode1.Length)" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_PowerUp_Gen {
meta:
description = "Detects Empire component - from files PowerUp.ps1, PowerUp.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "ad9a5dff257828ba5f15331d59dd4def3989537b3b6375495d0c08394460268c"
id = "ae6b0462-7193-54a4-8fb9-befc1b461b15"
strings:
$s1 = "$Result = sc.exe config $($TargetService.Name) binPath= $OriginalPath" fullword ascii
$s2 = "$Result = sc.exe pause $($TargetService.Name)" fullword ascii
condition:
( uint16(0) == 0x233c and filesize < 2000KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen2 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash3 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash5 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash6 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash8 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "eab277ca-0dd4-5035-82aa-1ac2120bac94"
strings:
$x1 = "$DllMain = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($DllMainPtr, $DllMainDelegate)" fullword ascii
$s20 = "#Shellcode: CallDllMain.asm" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Agent_Gen {
meta:
description = "Detects Empire component - from files agent.ps1, agent.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
hash2 = "380fd09bfbe47d5c8c870c1c97ff6f44982b699b55b61e7c803d3423eb4768db"
id = "0fac915c-2502-50da-93d1-f81e9282aa9a"
strings:
$s1 = "$wc.Headers.Add(\"User-Agent\",$script:UserAgent)" fullword ascii
$s2 = "$min = [int]((1-$script:AgentJitter)*$script:AgentDelay)" fullword ascii
$s3 = "if ($script:AgentDelay -ne 0){" fullword ascii
condition:
( uint16(0) == 0x660a and filesize < 100KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen3 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash3 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash4 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "b0f7ed41-be65-5e43-aeb1-56e5e7384e8f"
strings:
$s1 = "if (($PEInfo.FileType -ieq \"DLL\") -and ($RemoteProcHandle -eq [IntPtr]::Zero))" fullword ascii
$s2 = "remote DLL injection" ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Invoke_InveighRelay_Gen {
meta:
description = "Detects Empire component - from files Invoke-InveighRelay.ps1, Invoke-InveighRelay.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash2 = "21b90762150f804485219ad36fa509aeda210d46453307a9761c816040312f41"
id = "0adebf6f-99e1-5461-8efc-e4660faf6d5d"
strings:
$s1 = "$inveigh.SMBRelay_failed_list.Add(\"$HTTP_NTLM_domain_string\\$HTTP_NTLM_user_string $SMBRelayTarget\")" fullword ascii
$s2 = "$NTLM_challenge_base64 = [System.Convert]::ToBase64String($HTTP_NTLM_bytes)" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 200KB and 1 of them ) or all of them
}
rule Empire_KeePassConfig_Gen {
meta:
description = "Detects Empire component - from files KeePassConfig.ps1, KeePassConfig.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash2 = "5a76e642357792bb4270114d7cd76ce45ba24b0d741f5c6b916aeebd45cff2b3"
id = "e2bc88c5-50f8-5ddc-a449-41929b1d0528"
strings:
$s1 = "$KeePassXML = [xml](Get-Content -Path $KeePassXMLPath)" fullword ascii
condition:
( uint16(0) == 0x7223 and filesize < 80KB and 1 of them ) or all of them
}
rule Empire_Invoke_Portscan_Gen {
meta:
description = "Detects Empire component - from files Invoke-Portscan.ps1, Invoke-Portscan.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash2 = "cf7030be01fab47e79e4afc9e0d4857479b06a5f68654717f3bc1bc67a0f38d3"
id = "c2e01780-02d2-57d1-b38e-5c345ebccad6"
strings:
$s1 = "Test-Port -h $h -p $Port -timeout $Timeout" fullword ascii
$s2 = "1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 100KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen4 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "743c51334f17751cfd881be84b56f648edbdaf31f8186de88d094892edc644a9"
hash2 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash3 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash4 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash5 = "304031aa9eca5a83bdf1f654285d86df79cb3bba4aa8fe1eb680bd5b2878ebf0"
hash6 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
hash7 = "0218be4323959fc6379489a6a5e030bb9f1de672326e5e5b8844ab5cedfdcf88"
hash8 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash9 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
hash10 = "fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438"
id = "c390638a-0eb1-576d-a08c-203c31d414f3"
strings:
$s1 = "Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\\\')[-1].Equals('System.dll') }" fullword ascii
$s2 = "# Get a handle to the module specified" fullword ascii
$s3 = "$Kern32Handle = $GetModuleHandle.Invoke($null, @($Module))" fullword ascii
$s4 = "$DynAssembly = New-Object System.Reflection.AssemblyName('ReflectedDelegate')" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Invoke_CredentialInjection_Invoke_Mimikatz_Gen {
meta:
description = "Detects Empire component - from files Invoke-CredentialInjection.ps1, Invoke-Mimikatz.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "4725a57a5f8b717ce316f104e9472e003964f8eae41a67fd8c16b4228e3d00b3"
id = "d938aadf-6924-5964-9b5a-6bd1b817349f"
strings:
$s1 = "$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs -RemoteProcHandle $RemoteProcHandle" fullword ascii
$s2 = "$PELoadedInfo = Invoke-MemoryLoadLibrary -PEBytes $PEBytes -ExeArgs $ExeArgs" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 4000KB and 1 of them ) or all of them
}
rule Empire_Invoke_Gen {
meta:
description = "Detects Empire component - from files Invoke-DCSync.ps1, Invoke-PSInject.ps1, Invoke-ReflectivePEInjection.ps1"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "a3428a7d4f9e677623fadff61b2a37d93461123535755ab0f296aa3b0396eb28"
hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "913f971d-e4e3-55e9-904b-82b25a4e6f0f"
strings:
$s1 = "$Shellcode1 += 0x48" fullword ascii
$s2 = "$PEHandle = [IntPtr]::Zero" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 3000KB and 1 of them ) or all of them
}
rule Empire_PowerShell_Framework_Gen5 {
meta:
description = "Detects Empire component"
license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
author = "Florian Roth (Nextron Systems)"
reference = "https://github.com/adaptivethreat/Empire"
date = "2016-11-05"
super_rule = 1
hash1 = "1be3e3ec0e364db0c00fad2c59c7041e23af4dd59c4cc7dc9dcf46ca507cd6c8"
hash2 = "61e5ca9c1e8759a78e2c2764169b425b673b500facaca43a26c69ff7e09f62c4"
hash3 = "eaff29dd0da4ac258d85ecf8b042d73edb01b4db48c68bded2a8b8418dc688b5"
id = "4c23592e-5788-5b84-995a-028142cbc52f"
strings:
$s1 = "if ($ExeArgs -ne $null -and $ExeArgs -ne '')" fullword ascii
$s2 = "$ExeArgs = \"ReflectiveExe $ExeArgs\"" fullword ascii
condition:
( uint16(0) == 0x7566 and filesize < 1000KB and 1 of them ) or all of them
}