Suspicious Environment Variable Has Been Registered

calendar Aug 12, 2024 · attack.defense-evasion attack.persistence  ·
Share on: linkedin copy

Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings

Sigma rule (View on GitHub)

 1title: Suspicious Environment Variable Has Been Registered
 2id: 966315ef-c5e1-4767-ba25-fce9c8de3660
 3status: test
 4description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
 5references:
 6    - https://infosec.exchange/@sbousseaden/109542254124022664
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2022-12-20
 9modified: 2023-08-17
10tags:
11    - attack.defense-evasion
12    - attack.persistence
13logsource:
14    product: windows
15    category: registry_set
16detection:
17    selection_main:
18        TargetObject|contains: '\Environment\'
19    selection_details:
20        - Details:
21              - 'powershell'
22              - 'pwsh'
23        - Details|contains:
24              # Add more suspicious strings in env variables below
25              - '\AppData\Local\Temp\'
26              - 'C:\Users\Public\'
27              # Base64 MZ Header
28              - 'TVqQAAMAAAAEAAAA' # MZ..........
29              - 'TVpQAAIAAAAEAA8A'
30              - 'TVqAAAEAAAAEABAA'
31              - 'TVoAAAAAAAAAAAAA'
32              - 'TVpTAQEAAAAEAAAA'
33              # Base64 Invoke- (UTF-8)
34              - 'SW52b2tlL'
35              - 'ludm9rZS'
36              - 'JbnZva2Ut'
37              # Base64 Invoke- (UTF-16LE)
38              - 'SQBuAHYAbwBrAGUALQ'
39              - 'kAbgB2AG8AawBlAC0A'
40              - 'JAG4AdgBvAGsAZQAtA'
41        - Details|startswith:  # https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
42              - 'SUVY'
43              - 'SQBFAF'
44              - 'SQBuAH'
45              - 'cwBhA'
46              - 'aWV4'
47              - 'aQBlA'
48              - 'R2V0'
49              - 'dmFy'
50              - 'dgBhA'
51              - 'dXNpbm'
52              - 'H4sIA'
53              - 'Y21k'
54              - 'cABhAH'
55              - 'Qzpc'
56              - 'Yzpc'
57    condition: all of selection_*
58falsepositives:
59    - Unknown
60level: high

References

  • sbousseaden (@sbousseaden@infosec.exchange)

    Attached: 3 images weird ISO sample, contains renamed winword.exe used to sideload MSVCR100.dll which just sets persistence via winlogon_shell & a bunch of envars to obfuscate things (cache file wct73DF.tmp is not dropped!) bcb7e369adf827fb23521c60b7a29486a267bfe4fa11ee4de8dccb3328e2dc0f


    Read More

Related rules

to-top