Suspicious Get-Variable.exe Creation

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.t1546 attack.defense-evasion attack.t1027  ·
Share on: linkedin copy

Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

Sigma rule (View on GitHub)

 1title: Suspicious Get-Variable.exe Creation
 2id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
 3status: test
 4description: |
 5    Get-Variable is a valid PowerShell cmdlet
 6    WindowsApps is by default in the path where PowerShell is executed.
 7    So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.    
 8references:
 9    - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
10    - https://www.joesandbox.com/analysis/465533/0/html
11author: frack113
12date: 2022-04-23
13tags:
14    - attack.privilege-escalation
15    - attack.persistence
16    - attack.t1546
17    - attack.defense-evasion
18    - attack.t1027
19logsource:
20    product: windows
21    category: file_event
22detection:
23    selection:
24        TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
25    condition: selection
26falsepositives:
27    - Unknown
28level: high

References

Related rules

to-top