We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Behavior:PowerShell/Empire.A
Aliases: No associated aliases
Summary
This is a generic detection for a PowerShell Empire stager. An Empire stager is a small program or script used to install an Empire agent. An Empire agent is a post-exploitation tool used to establish communication to command-and-control (C2) for remote command execution.
Guidance for individual users
Keep your operating system and antivirus products up to date. Customers who have turned on automatic updates do not need to take additional action.
Take these steps to help prevent malware infection on your computer.
Guidance for end users
Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.
- Do not launch programs from unknown sources.
- Check your perimeter firewall and proxy to restrict servers from making arbitrary connections to the internet to browse or download files. Such restrictions help inhibit malware downloads and C2 activity including mobile devices.
- Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
- Run the latest version of your operating systems and applications. Deploy the latest security updates as soon as they become available.
- Educate end users about preventing malware infections. Encourage end users to practice good credential hygiene—limit the use of accounts with local or domain admin privileges and turn on Microsoft Defender Firewall to prevent malware infection and stifle propagation.
- Turn on attack surface reduction rules, including rules that can block advanced macro activity, executable content, process creation, and process injection initiated by Office applications.
- Check your Office 365 email filtering settings to ensure you block spoofed emails, spam, and emails with malware. Use Microsoft Defender for Office 365 for enhanced phishing protection and coverage against new threats and polymorphic variants. Configure Office 365 to recheck links on click and delete sent mail in response to newly acquired threat intelligence.
- Prevent the use of unauthorized apps with application control even in Enterprise mobile devices
- For efficient incident response, maintain a forensics-ready network with centralized event logging, file detonation services, and up-to-date asset inventories.
- Turn on the following attack surface reduction rule to block or audit activity associated with this threat:
- Block executable files from running unless they meet a prevalence, age, or trusted list criterion
- Block executable content from email client and webmail
- Block all Office applications from creating child processes
- Block Office applications from creating executable content
- Block persistence through WMI event subscription
