HackTool - Empire PowerShell Launch Parameters
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
HackTool - Empire PowerShell Launch Parameters | Standard | Windows Security Event Log (Process Creation) | T1059.001 – Command and Scripting Interpreter: PowerShell | Trouble |
About the rule
Rule Type
Standard
Rule Description
Detects suspicious PowerShell command line parameters commonly used by the Empire post-exploitation framework. These include encoded commands with flags like -nop, -sta, -noni, -w hidden, and variations thereof, which are indicative of obfuscated or stealthy execution techniques.
Severity
Trouble
Rule journey
Attack chain scenario
Execution: Command and Scripting Interpreter - PowerShell (T1059.001)
Impact
Execution of malicious PowerShell payloads enabling command and control, lateral movement, and further compromise of systems.
Rule Requirement
Prerequisites
Using Windows Event Viewer
- Log in to a Domain Controller with domain admin rights
- Open GPMC (Run: gpmc.msc)
- Edit a GPO linked to the target OU
- Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking
- Enable Audit Process Creation and Audit Process Termination (Success)
- Navigate to: Computer Configuration > Administrative Templates > System > Audit Process Creation
- Enable "Include command line in process creation events"
- Ensure registry key exists: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational
Using Sysmon
- Download and install Sysmon from Sysinternals
- Open Command Prompt as admin
- Install with config file: sysmon.exe -i config.xml
- Sample config should include ProcessCreate event
- Ensure registry key exists: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational
Criteria
Action1: actionname = "Process started" AND COMMANDLINE contains " -NoP -sta -NonI -W Hidden -Enc , -noP -sta -w 1 -enc , -NoP -NonI -W Hidden -enc , -noP -sta -w 1 -enc, -enc SQB, -nop -exec bypass -EncodedCommand " select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
T1059.001 – Command and Scripting Interpreter: PowerShell
Security Standards
Detection aligns with monitoring and logging best practices for PowerShell execution as recommended by endpoint security frameworks and standards.
Author
Florian Roth (Nextron Systems)
Future actions
Known False Positives
Other legitimate tools or scripts that incidentally use similar PowerShell command line parameters.
Next Steps
- Review PowerShell command line usage for context and intent to differentiate between legitimate and malicious usage.
- Analyze network and host activity associated with detected commands for signs of C2 or lateral movement.
- Examine related accounts and systems for other indicators of compromise.
- Harden PowerShell logging and restrict execution policies to limit unauthorized script execution.
- Engage incident response if malicious activity is confirmed.
Mitigation
Mitigation ID | Name | Description |
M1049 | Antivirus/Antimalware | Use antivirus and endpoint detection and response (EDR) solutions to detect and quarantine suspicious files and scripts, thereby preventing execution of malicious PowerShell payloads. |
M1045 | Code Signing | Enforce PowerShell execution policies that only allow running of signed scripts to reduce risk from unsigned or malicious scripts. |
M1042 | Disable or Remove Feature or Program | When possible, remove PowerShell from systems that do not require it, and restrict or disable Windows Remote Management (WinRM) to prevent remote PowerShell execution abuse. Prior assessment of impact is necessary as PowerShell may be required for legitimate administration tasks. |
M1038 | Execution Prevention | Implement application control solutions to limit the execution of unauthorized code. Use PowerShell Constrained Language Mode to restrict access to sensitive language features and commands that can be used for malicious purposes. |
M1026 | Privileged Account Management | Restrict PowerShell execution policy settings to administrators only. Use Just Enough Administration (JEA) to limit commands available in PowerShell sessions, minimizing attack surface. Be aware of known methods to bypass execution policies and regularly review security configurations. |
