Talk With an Expert

Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity

Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity (PDF, 5.07MB)Published: 23 Feb, 2018
Created by
Michael C. Long II

Windows PowerShell has quickly become ubiquitous in enterprise networks. Threat actors are increasingly utilizing attack frameworks such as PowerShell Empire because of its robust APT-like capabilities, stealth, and flexibility. This research identifies specific artifacts, behaviors, and indicators of compromise that can be observed by network defenders in order to quickly identify PowerShell Empire command and control activity in the enterprise. By applying these techniques, defenders can dramatically reduce dwell time of adversaries utilizing PowerShell Empire.