Detection rules › Kusto Query Language

Powershell Empire Cmdlets Executed in Command Line

Source: upstream

'This query identifies use of PowerShell Empire's cmdlets within the command line data of the PowerShell process, indicating potential use of the post-exploitation tool.'

MITRE ATT&CK coverage

Tactic	Techniques
Execution	`T1047` Windows Management Instrumentation, `T1053.005` Scheduled Task/Job: Scheduled Task, `T1059` Command and Scripting Interpreter, `T1059.001` Command and Scripting Interpreter: PowerShell, `T1059.003` Command and Scripting Interpreter: Windows Command Shell, `T1106` Native API, `T1569.002` System Services: Service Execution
Persistence	`T1053.005` Scheduled Task/Job: Scheduled Task, `T1136.001` Create Account: Local Account, `T1136.002` Create Account: Domain Account, `T1543.003` Create or Modify System Process: Windows Service, `T1546.008` Event Triggered Execution: Accessibility Features, `T1547.001` Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, `T1547.005` Boot or Logon Autostart Execution: Security Support Provider, `T1547.009` Boot or Logon Autostart Execution: Shortcut Modification, `T1574.001` Hijack Execution Flow: DLL, `T1574.004` Hijack Execution Flow: Dylib Hijacking, `T1574.007` Hijack Execution Flow: Path Interception by PATH Environment Variable, `T1574.008` Hijack Execution Flow: Path Interception by Search Order Hijacking, `T1574.009` Hijack Execution Flow: Path Interception by Unquoted Path
Privilege Escalation	`T1053.005` Scheduled Task/Job: Scheduled Task, `T1055` Process Injection, `T1068` Exploitation for Privilege Escalation, `T1134` Access Token Manipulation, `T1134.002` Access Token Manipulation: Create Process with Token, `T1134.005` Access Token Manipulation: SID-History Injection, `T1484.001` Domain or Tenant Policy Modification: Group Policy Modification, `T1543.003` Create or Modify System Process: Windows Service, `T1546.008` Event Triggered Execution: Accessibility Features, `T1547.001` Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, `T1547.005` Boot or Logon Autostart Execution: Security Support Provider, `T1547.009` Boot or Logon Autostart Execution: Shortcut Modification, `T1548.002` Abuse Elevation Control Mechanism: Bypass User Account Control, `T1574.001` Hijack Execution Flow: DLL, `T1574.004` Hijack Execution Flow: Dylib Hijacking, `T1574.007` Hijack Execution Flow: Path Interception by PATH Environment Variable, `T1574.008` Hijack Execution Flow: Path Interception by Search Order Hijacking, `T1574.009` Hijack Execution Flow: Path Interception by Unquoted Path
Defense Evasion	`T1027` Obfuscated Files or Information, `T1055` Process Injection, `T1070.006` Indicator Removal: Timestomp, `T1127.001` Trusted Developer Utilities Proxy Execution: MSBuild, `T1134` Access Token Manipulation, `T1134.002` Access Token Manipulation: Create Process with Token, `T1134.005` Access Token Manipulation: SID-History Injection, `T1484.001` Domain or Tenant Policy Modification: Group Policy Modification, `T1548.002` Abuse Elevation Control Mechanism: Bypass User Account Control, `T1550.002` Use Alternate Authentication Material: Pass the Hash, `T1574.001` Hijack Execution Flow: DLL, `T1574.004` Hijack Execution Flow: Dylib Hijacking, `T1574.007` Hijack Execution Flow: Path Interception by PATH Environment Variable, `T1574.008` Hijack Execution Flow: Path Interception by Search Order Hijacking, `T1574.009` Hijack Execution Flow: Path Interception by Unquoted Path
Credential Access	`T1003.001` OS Credential Dumping: LSASS Memory, `T1040` Network Sniffing, `T1056.001` Input Capture: Keylogging, `T1056.004` Input Capture: Credential API Hooking, `T1552.001` Unsecured Credentials: Credentials In Files, `T1552.004` Unsecured Credentials: Private Keys, `T1555.003` Credentials from Password Stores: Credentials from Web Browsers, `T1557.001` Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, `T1558.002` Steal or Forge Kerberos Tickets: Silver Ticket, `T1558.003` Steal or Forge Kerberos Tickets: Kerberoasting
Discovery	`T1016` System Network Configuration Discovery, `T1040` Network Sniffing, `T1046` Network Service Discovery, `T1049` System Network Connections Discovery, `T1057` Process Discovery, `T1082` System Information Discovery, `T1083` File and Directory Discovery, `T1087.001` Account Discovery: Local Account, `T1087.002` Account Discovery: Domain Account, `T1135` Network Share Discovery, `T1217` Browser Information Discovery, `T1482` Domain Trust Discovery, `T1518.001` Software Discovery: Security Software Discovery, `T1615` Group Policy Discovery
Lateral Movement	`T1021.003` Remote Services: Distributed Component Object Model, `T1021.004` Remote Services: SSH, `T1210` Exploitation of Remote Services, `T1550.002` Use Alternate Authentication Material: Pass the Hash
Collection	`T1056.001` Input Capture: Keylogging, `T1056.004` Input Capture: Credential API Hooking, `T1113` Screen Capture, `T1114.001` Email Collection: Local Email Collection, `T1115` Clipboard Data, `T1125` Video Capture, `T1557.001` Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, `T1560` Archive Collected Data
Command & Control	`T1071.001` Application Layer Protocol: Web Protocols, `T1102.002` Web Service: Bidirectional Communication, `T1105` Ingress Tool Transfer, `T1573.002` Encrypted Channel: Asymmetric Cryptography
Exfiltration	`T1041` Exfiltration Over C2 Channel, `T1567.001` Exfiltration Over Web Service: Exfiltration to Code Repository, `T1567.002` Exfiltration Over Web Service: Exfiltration to Cloud Storage

Event coverage

Provider	Event ID	Title
Security-Auditing	4688	A new process has been created.

Stages and Predicates

Stage 1: `source`

<union>

Stage 2: `union`

union of 2 branches