rule: improved Empire detection

rules/proxy/proxy_empire_ua_uri_combos.yml

@@ -0,0 +1,25 @@
+title: Empire UserAgent URI Combo
+id: b923f7d6-ac89-4a50-a71a-89fb846b4aa8
+status: experimental
+description: Detects user agent and URI paths used by empire agents
+references:
+    - https://github.com/BC-SECURITY/Empire
+author: Florian Roth
+date: 2020/07/13
+logsource:
+    category: proxy
+detection:
+    selection:
+        c-useragent: 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
+        cs-uri-query:
+            - '/admin/get.php'
+            - '/news.php'
+            - '/login/process.php'
+        cs-method: 'POST'
+    condition: selection
+fields:
+    - c-uri
+    - c-ip
+falsepositives:
+    - Valid requests with this exact user agent to server scripts of the defined names
+level: high

rules/windows/process_creation/win_susp_powershell_empire_launch.yml

@@ -9,6 +9,7 @@ references:
     - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
 author: Florian Roth
 date: 2019/04/20
+modified: 2020/07/13
 tags:
     - attack.execution
     - attack.t1086
@@ -18,9 +19,12 @@ logsource:
     product: windows
 detection:
     selection:
-        CommandLine:
-            - '* -NoP -sta -NonI -W Hidden -Enc *'
-            - '* -noP -sta -w 1 -enc *'
-            - '* -NoP -NonI -W Hidden -enc *'
+        CommandLine|contains:
+            - ' -NoP -sta -NonI -W Hidden -Enc '
+            - ' -noP -sta -w 1 -enc '
+            - ' -NoP -NonI -W Hidden -enc '
+            - ' -noP -sta -w 1 -enc'
+            - ' -enc  SQB'
+            - ' -nop -exec bypass -EncodedCommand SQB'
     condition: selection
 level: critical