EXPLORE
Sign In
← Back to Explore
splunk_escuTTP

Detect Empire with PowerShell Script Block Logging

The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze commands sent to PowerShell, specifically looking for patterns involving `system.net.webclient` and base64 encoding. This behavior is significant as it often represents initial stagers used by PowerShell-Empire, a known post-exploitation framework. If confirmed malicious, this activity could allow attackers to download and execute additional payloads, leading to potential code execution, data exfiltration, or further compromise of the affected system.

MITRE ATT&CK

T1059.001
execution

Detection Query

`powershell` EventCode=4104  (ScriptBlockText=*system.net.webclient* AND ScriptBlockText=*frombase64string*)
  | fillnull
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest signature signature_id
       user_id vendor_product EventID
       Guid Opcode Name
       Path ProcessID ScriptBlockId
       ScriptBlockText
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `detect_empire_with_powershell_script_block_logging_filter`

Author

Michael Haag, Splunk

Created

2026-03-10

Data Sources

Powershell Script Block Logging 4104

References

Tags

Hellcat RansomwareMalicious PowerShellHermetic WiperData Destruction
Raw Content
name: Detect Empire with PowerShell Script Block Logging
id: bc1dc6b8-c954-11eb-bade-acde48001122
version: 12
date: '2026-03-10'
author: Michael Haag, Splunk
status: production
type: TTP
description: The following analytic detects suspicious PowerShell execution indicative of PowerShell-Empire activity. It leverages PowerShell Script Block Logging (EventCode=4104) to capture and analyze commands sent to PowerShell, specifically looking for patterns involving `system.net.webclient` and base64 encoding. This behavior is significant as it often represents initial stagers used by PowerShell-Empire, a known post-exploitation framework. If confirmed malicious, this activity could allow attackers to download and execute additional payloads, leading to potential code execution, data exfiltration, or further compromise of the affected system.
data_source:
    - Powershell Script Block Logging 4104
search: |-
    `powershell` EventCode=4104  (ScriptBlockText=*system.net.webclient* AND ScriptBlockText=*frombase64string*)
      | fillnull
      | stats count min(_time) as firstTime max(_time) as lastTime
        BY dest signature signature_id
           user_id vendor_product EventID
           Guid Opcode Name
           Path ProcessID ScriptBlockId
           ScriptBlockText
      | `security_content_ctime(firstTime)`
      | `security_content_ctime(lastTime)`
      | `detect_empire_with_powershell_script_block_logging_filter`
how_to_implement: To successfully implement this analytic, you will need to enable PowerShell Script Block Logging on some or all endpoints. Additional setup here https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
known_false_positives: False positives may only pertain to it not being related to Empire, but another framework. Filter as needed if any applications use the same pattern.
references:
    - https://help.splunk.com/en/security-offerings/splunk-user-behavior-analytics/get-data-in/5.4.1/add-other-data-to-splunk-uba/configure-powershell-logging-to-see-powershell-anomalies-in-splunk-uba.
    - https://blog.palantir.com/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63
    - https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/59c1814829f18782e24f1fe2/1505853768977/Windows+PowerShell+Logging+Cheat+Sheet+ver+Sept+2017+v2.1.pdf
    - https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
    - https://github.com/BC-SECURITY/Empire
    - https://www.splunk.com/en_us/blog/security/hunting-for-malicious-powershell-using-script-block-logging.html
drilldown_searches:
    - name: View the detection results for - "$user$" and "$Computer$"
      search: '%original_detection_search% | search  user = "$user$" Computer = "$Computer$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$user$" and "$Computer$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$", "$Computer$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
rba:
    message: The following behavior was identified and typically related to PowerShell-Empire on $dest$ by $user_id$.
    risk_objects:
        - field: user_id
          type: user
          score: 50
        - field: dest
          type: system
          score: 50
    threat_objects: []
tags:
    analytic_story:
        - Hellcat Ransomware
        - Malicious PowerShell
        - Hermetic Wiper
        - Data Destruction
    asset_type: Endpoint
    mitre_attack_id:
        - T1059.001
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: endpoint
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/powershell_script_block_logging/empire.log
          source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
          sourcetype: XmlWinEventLog