LoFP / false positives may only pertain to it not being related to empire, but another framework. filter as needed if any applications use the same pattern.

Techniques

• T1059
• T1059.001

Sample rules

Detect Empire with PowerShell Script Block Logging

• source: splunk
• technicques:
  • T1059
  • T1059.001

Description

The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze commands sent to PowerShell, specifically looking for patterns involving system.net.webclient and base64 encoding. This behavior is significant as it often represents initial stagers used by PowerShell-Empire, a known post-exploitation framework. If confirmed malicious, this activity could allow attackers to download and execute additional payloads, leading to potential code execution, data exfiltration, or further compromise of the affected system.

Detection logic

`powershell` EventCode=4104  (ScriptBlockText=*system.net.webclient* AND ScriptBlockText=*frombase64string*) 
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer UserID EventCode ScriptBlockText 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `detect_empire_with_powershell_script_block_logging_filter`