Detecting Powershell Empire

One of my favorite utilities to use as a Network Administrator is Powershell. There are so many tasks that can be performed with Powershell for automation and administering a network at scale, that it is almost becoming necessary to use it to manage a network nowadays. Because of it's ability to effectively manage a network, it can also be used to exploit a network and there are now utilities being built for exploiting Powershell. For those that aren't familiar with it, Powershell Empire is a framework aimed at making exploitation of a Windows environment easier and faster through the use of Powershell. It essentially creates a server/client relationship with any machine that an attacker has placed an agent on, and gives the attacker the ability to execute any commands on the compromised machine, as well as a lot of built exploitation modules such as Mimikatz without ever having to upload the files as everything is run in memory.

As a defender, logs can be overwhelming at times and when we try to automate the process of identifying abnormal behavior in a network we sometimes look for key signatures to alert on malicious activity. Powershell Empire's agents run in memory, so it generates very few logs. It also attempts to obfuscate it's initiation script whenever a new agent is deployed, so attempting to monitoring Powershell ScriptBlock logs can prove to be almost impossible. With it's ability to essentially hide it's activity and the ability to execute several built in exploitation modules, this makes Powershell Empire somewhat of a nightmare for analysts to detect. The only way you can effectively identify Powershell Empire's usage is through Sysmon.

There are two ways to effectively detect Powershell Empire with Sysmon and that is with Event ID 1 and 3. Upon a new installation of an agent, both of these events will trigger. Event ID 1 will look like the following:



The Sysmon Event ID 1 "CommandLine" output will always begin with the full path to Powershell with the "-NoP -sta -w 1 -enc" switches and a long base64 encoded string following. The first thing you would want to check is to make sure you are currently monitoring Powershell usage with Sysmon. To make sure you have configured Sysmon to include powershell.exe usage, you will need to add an include entry for powershell.exe in both Event ID 1 & 3's configuration in your Sysmon.xml configuratio file(If you are using ion-storm's Sysmon config, which I highly recommend, this is already taken care of for you). Once you have Sysmon configured to log Powershell usage, and you will want to configure conditions to trigger alerts based on the "CommandLine" field beginning with powershell's full path and include the switches all the way to the -enc portion of the script that is executed above. As of this day, any default type of connection that is made to a Powershell Empire host follows the same syntax. 

The second way that can be utilized to identify Powershell Empire in the environment, and my preferred way, is by monitoring Sysmon Event ID 3. The event log looks like such below:


It is very rare that I initiate an external network connection utilizing Powershell, and by monitoring this type of event, it helps you identify not only when someone may be using Powershell Empire, but also utilizing Powershell to download/upload files as well. This is approach is also more useful than just monitoring Event ID 1 as if someone has already deployed the Powershell Empire agents in your environment, you may not get those Event ID 1 logs that are generated, but as the agent is scheduled to check in, you will always receive an event log entry from Sysmon Event ID 3. The simplest way to monitor for this event is monitor for any Event ID 3, with the "Image" being set to powershell.exe and the Destination IP address being an external IP address, or if you prefer, any IP address.

As stated earlier, Powershell is on the rise in being used for malicious intent and it is becoming a necessity to monitor it's usage. If you have not done so already, I highly recommend deploying Sysmon, and make sure you are monitoring Powershell in your Sysmon configuration, as I stated earlier even if you are performing Powershell ScriptBlock monitoring, it is quite difficult to detect Powershell Empire's usage through typical conditional rules and Sysmon simply makes detecting it quite easy.