Suspicious Environment Variable Has Been Registered

Hunt Hypothesis

Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings

Detection Rule

Sigma (Original)

title: Suspicious Environment Variable Has Been Registered
id: 966315ef-c5e1-4767-ba25-fce9c8de3660
status: test
description: Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
references:
    - https://infosec.exchange/@sbousseaden/109542254124022664
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022-12-20
modified: 2023-08-17
tags:
    - attack.persistence
    - attack.stealth
logsource:
    product: windows
    category: registry_set
detection:
    selection_main:
        TargetObject|contains: '\Environment\'
    selection_details:
        - Details:
              - 'powershell'
              - 'pwsh'
        - Details|contains:
              # Add more suspicious strings in env variables below
              - '\AppData\Local\Temp\'
              - 'C:\Users\Public\'
              # Base64 MZ Header
              - 'TVqQAAMAAAAEAAAA' # MZ..........
              - 'TVpQAAIAAAAEAA8A'
              - 'TVqAAAEAAAAEABAA'
              - 'TVoAAAAAAAAAAAAA'
              - 'TVpTAQEAAAAEAAAA'
              # Base64 Invoke- (UTF-8)
              - 'SW52b2tlL'
              - 'ludm9rZS'
              - 'JbnZva2Ut'
              # Base64 Invoke- (UTF-16LE)
              - 'SQBuAHYAbwBrAGUALQ'
              - 'kAbgB2AG8AawBlAC0A'
              - 'JAG4AdgBvAGsAZQAtA'
        - Details|startswith:  # https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639
              - 'SUVY'
              - 'SQBFAF'
              - 'SQBuAH'
              - 'cwBhA'
              - 'aWV4'
              - 'aQBlA'
              - 'R2V0'
              - 'dmFy'
              - 'dgBhA'
              - 'dXNpbm'
              - 'H4sIA'
              - 'Y21k'
              - 'cABhAH'
              - 'Qzpc'
              - 'Yzpc'
    condition: all of selection_*
falsepositives:
    - Unknown
level: high

KQL (Azure Sentinel)

imRegistry
| where RegistryKey endswith "\\Environment*" and ((RegistryValueData in~ ("powershell", "pwsh")) or (RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "C:\\Users\\Public\\" or RegistryValueData contains "TVqQAAMAAAAEAAAA" or RegistryValueData contains "TVpQAAIAAAAEAA8A" or RegistryValueData contains "TVqAAAEAAAAEABAA" or RegistryValueData contains "TVoAAAAAAAAAAAAA" or RegistryValueData contains "TVpTAQEAAAAEAAAA" or RegistryValueData contains "SW52b2tlL" or RegistryValueData contains "ludm9rZS" or RegistryValueData contains "JbnZva2Ut" or RegistryValueData contains "SQBuAHYAbwBrAGUALQ" or RegistryValueData contains "kAbgB2AG8AawBlAC0A" or RegistryValueData contains "JAG4AdgBvAGsAZQAtA") or (RegistryValueData startswith "SUVY" or RegistryValueData startswith "SQBFAF" or RegistryValueData startswith "SQBuAH" or RegistryValueData startswith "cwBhA" or RegistryValueData startswith "aWV4" or RegistryValueData startswith "aQBlA" or RegistryValueData startswith "R2V0" or RegistryValueData startswith "dmFy" or RegistryValueData startswith "dgBhA" or RegistryValueData startswith "dXNpbm" or RegistryValueData startswith "H4sIA" or RegistryValueData startswith "Y21k" or RegistryValueData startswith "cABhAH" or RegistryValueData startswith "Qzpc" or RegistryValueData startswith "Yzpc"))

KQL (Microsoft 365 Defender)

DeviceRegistryEvents
| where RegistryKey endswith "\\Environment*" and ((RegistryValueData in~ ("powershell", "pwsh")) or (RegistryValueData contains "\\AppData\\Local\\Temp\\" or RegistryValueData contains "C:\\Users\\Public\\" or RegistryValueData contains "TVqQAAMAAAAEAAAA" or RegistryValueData contains "TVpQAAIAAAAEAA8A" or RegistryValueData contains "TVqAAAEAAAAEABAA" or RegistryValueData contains "TVoAAAAAAAAAAAAA" or RegistryValueData contains "TVpTAQEAAAAEAAAA" or RegistryValueData contains "SW52b2tlL" or RegistryValueData contains "ludm9rZS" or RegistryValueData contains "JbnZva2Ut" or RegistryValueData contains "SQBuAHYAbwBrAGUALQ" or RegistryValueData contains "kAbgB2AG8AawBlAC0A" or RegistryValueData contains "JAG4AdgBvAGsAZQAtA") or (RegistryValueData startswith "SUVY" or RegistryValueData startswith "SQBFAF" or RegistryValueData startswith "SQBuAH" or RegistryValueData startswith "cwBhA" or RegistryValueData startswith "aWV4" or RegistryValueData startswith "aQBlA" or RegistryValueData startswith "R2V0" or RegistryValueData startswith "dmFy" or RegistryValueData startswith "dgBhA" or RegistryValueData startswith "dXNpbm" or RegistryValueData startswith "H4sIA" or RegistryValueData startswith "Y21k" or RegistryValueData startswith "cABhAH" or RegistryValueData startswith "Qzpc" or RegistryValueData startswith "Yzpc"))

Required Data Sources

Sentinel Table	Notes
`imRegistry`	Ensure this data connector is enabled

Suspicious Environment Variable Has Been Registered

Hunt Hypothesis

Detection Rule

Sigma (Original)

KQL (Azure Sentinel)

KQL (Microsoft 365 Defender)

Required Data Sources

False Positive Guidance

MITRE ATT&CK Context

References