Detecting PowerShell Empire with Sysmon and Wazuh

Overview

PowerShell Empire is a popular post-exploitation framework that security teams frequently encounter during red team exercises and real attacks. This write-up documents how to detect Empire activity using Sysmon logs and Wazuh SIEM.

Detection Approach

Empire's PowerShell stager exhibits several detectable behaviors:

1. Encoded Command Execution (T1059.001)

Empire typically uses Base64-encoded commands to evade basic detection:

powershell.exe -NoP -sta -NonI -W Hidden -Enc <base64_blob>

Sysmon Event ID 1 Detection:

Process: powershell.exe

CommandLine contains: -Enc, -EncodedCommand, or long Base64 strings

Parent process is unusual (not explorer.exe, cmd.exe from user action)

2. Network Indicators (T1071.001)

Empire beacons to C2 server with distinctive patterns:

Regular interval HTTP/HTTPS requests

User-Agent strings that can be fingerprinted

Cookie-based data exfiltration

Wazuh Rule Example:

<rule id="100201" level="12">
  <if_sid>61603</if_sid>
  <field name="win.eventdata.commandLine" type="pcre2">(?i)-e(nc|ncodedcommand)?\s+[A-Za-z0-9+/=]{100,}</field>
  <description>Suspicious encoded PowerShell command detected</description>
  <mitre>
    <id>T1059.001</id>
  </mitre>
</rule>

Testing

Deploy Empire in a lab environment and validate detection:

Generate PowerShell stager

Execute on monitored endpoint

Verify Wazuh alerts trigger

Tune false positive thresholds

Conclusion

Layered detection combining process monitoring, network analysis, and behavioral rules provides robust coverage against Empire and similar frameworks.