Detectionhightest

Suspicious Get-Variable.exe Creation

Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Sat Apr 230c3fac91-5627-46e8-a6a8-a0d7b9b8ae1bwindows

Log Source

WindowsFile Event

ProductWindows← raw: windows

CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic

detection:
    selection:
        TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

blog.malwarebytes.com

Resolving title…

joesandbox.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion

Techniques

T1546 · Event Triggered Execution T1027 · Obfuscated Files or Information

Rule Metadata

Rule ID

0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b

Status

test

Level

high

Type

Detection

Created

Sat Apr 23

Author

François Hubaut

Path

rules/windows/file/file_event/file_event_win_susp_get_variable.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.t1546attack.defense-evasionattack.t1027

View on GitHub