‹ 首页

analyzing-powershell-empire-artifacts

@adriannoes · 收录于 1 周前

Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns, default user agents, staging URL structures, stager IOCs, and known Empire module signatures in Script Block Logging events.

适合你,如果你需要检测Windows环境中PowerShell Empire框架的入侵痕迹

/ 下载安装
analyzing-powershell-empire-artifacts.skill双击,或拖进 Claude 桌面版 / Cowork,即完成安装↓ .skill↓ .zip
用别的 agent?下载 .zip 解压,把文件夹放进它的技能目录
Claude Code~/.claude/skills/(项目级 .claude/skills/)
Codex CLI~/.codex/skills/
Cursor自动读取上面两处目录
其他工具见其文档的「skills」目录;两个下载是同一份文件,只是名字不同
/ 通过 npx 安装 校验哈希
npx oh-my-skill add adriannoes/awesome-vibe-coding/analyzing-powershell-empire-artifacts
/ 通过 bash 安装
curl -fsSL https://oh-my-skill.com/install.sh | bash -s -- adriannoes/awesome-vibe-coding/analyzing-powershell-empire-artifacts
/ 已经装过?验证本机副本,不用重装
npx oh-my-skill verify adriannoes/awesome-vibe-coding/analyzing-powershell-empire-artifacts
安装目标可用 --agent / --scope 或 --to 明确指定;省略时只会在唯一已存在的 agent 目录上自动选择,零命中或多命中会停止并提示。content_hash 缺失或不一致均拒装。
44GitHub stars
~518最小装载
~518含声明引用
~1.1K文本包总量
镜像托管

怎么用

技能原文 SKILL.md作者撰写 · Apache-2.0 · e4ed3a9

Analyzing PowerShell Empire Artifacts

Overview

PowerShell Empire is a post-exploitation framework consisting of listeners, stagers, and agents. Its artifacts leave detectable traces in Windows event logs, particularly PowerShell Script Block Logging (Event ID 4104) and Module Logging (Event ID 4103). This skill analyzes event logs for Empire's default launcher string (powershell -noP -sta -w 1 -enc), Base64 encoded payloads containing System.Net.WebClient and FromBase64String, known module invocations (Invoke-Mimikatz, Invoke-Kerberoast, Invoke-TokenManipulation), and staging URL patterns.

When to Use
  • When investigating security incidents that require analyzing powershell empire artifacts
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques
Prerequisites
  • Python 3.9+ with access to Windows Event Log or exported EVTX files
  • PowerShell Script Block Logging (Event ID 4104) enabled via Group Policy
  • Module Logging (Event ID 4103) enabled for comprehensive coverage
Key Detection Patterns
  1. Default launcherpowershell -noP -sta -w 1 -enc followed by Base64 blob
  2. Stager indicatorsSystem.Net.WebClient, DownloadData, DownloadString, FromBase64String
  3. Module signatures — Invoke-Mimikatz, Invoke-Kerberoast, Invoke-TokenManipulation, Invoke-PSInject, Invoke-DCOM
  4. User agent strings — default Empire user agents in HTTP listener configuration
  5. Staging URLs/login/process.php, /admin/get.php and similar default URI patterns
Output

JSON report with matched IOCs, decoded Base64 payloads, timeline of suspicious events, MITRE ATT&CK technique mappings, and severity scores.

按 Apache-2.0 许可原样转载,未经改动 · 在 GitHub 查看 →

评论

登录即可评论;带「已验证安装」的,是发布者名下有本店的安装或持有记录。