200-endpoint software company · PowerShell Empire fileless C2 · undetected for 90 days
At a 200-endpoint software company a SOC analyst had been seeing anomalous PowerShell activity for weeks. AV/EDR kept coming back clean. With memory forensics DSET revealed an Empire C2 beacon, 47 endpoints were fully cleaned; after a ZTNA + EDR + Sysmon + KQL architecture, 12 months clean and a MITRE ATT&CK simulation was passed.
01 The Challenge
Sysmon: an encoded PowerShell -enc command on 47 endpoints (for weeks). Memory dump: System.Reflection.Assembly.Load patterns (fileless). No disk artifact, only memory; AV/EDR coming back clean. Because Empire is signature-less, signature-based detection does not work. The DA compromise 2 hops away.
02 DSET's Approach
T+0 · Memory forensics
Analysis of 3 host memory dumps with Volatility. An Empire C2 server was detected (a PowerShellEmpire/empire-dev fork). A 47-host TTP map + USOM coordination.
T+1 week · Passive observation
1 week of TTP collection (without the attacker noticing): the C2 server, the exfil channel, 5 additional beacons revealed.
T+2 weeks · Coordinated eradication
Simultaneous cleanup of 47 endpoints (without the attacker's knowledge). Kerberos krbtgt rotation × 2, the Cobalt Strike beacon crew kicked out.
T+3 weeks · Constrained Mode
PowerShell Constrained Language Mode + AppLocker active. ZTNA + EDR (CrowdStrike Falcon) + Sysmon installed on all endpoints.