Suspicious Get-Variable.exe Creation
Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
Sigma rule (View on GitHub)
1title: Suspicious Get-Variable.exe Creation
2id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
3status: test
4description: |
5 Get-Variable is a valid PowerShell cmdlet
6 WindowsApps is by default in the path where PowerShell is executed.
7 So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
8references:
9 - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
10 - https://www.joesandbox.com/analysis/465533/0/html
11author: frack113
12date: 2022-04-23
13tags:
14 - attack.persistence
15 - attack.t1546
16 - attack.defense-evasion
17 - attack.t1027
18logsource:
19 product: windows
20 category: file_event
21detection:
22 selection:
23 TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
24 condition: selection
25falsepositives:
26 - Unknown
27level: high
References
-
This blog post was authored by Ankur Saini, with contributions from Hossein Jazi and Jérôme Segura(2022-04-07): Added MITRE ATT&CK mappings(2022-04-07): Changed the name of the final payload fr…
Read More -
Related rules
- Control Panel Items
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address