Adversaries may use the Get-Variable.exe process to exfiltrate data or manipulate PowerShell variables, leveraging its legitimate appearance to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential data exfiltration or persistence mechanisms that bypass traditional detection methods.
Detection Rule
title: Suspicious Get-Variable.exe Creation
id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
status: test
description: |
Get-Variable is a valid PowerShell cmdlet
WindowsApps is by default in the path where PowerShell is executed.
So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
references:
- https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
- https://www.joesandbox.com/analysis/465533/0/html
author: frack113
date: 2022-04-23
tags:
- attack.privilege-escalation
- attack.persistence
- attack.t1546
- attack.defense-evasion
- attack.t1027
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFileName endswith "Local\\Microsoft\\WindowsApps\\Get-Variable.exe"Scenario: A system administrator is using Get-Variable to inspect the environment variables during a routine PowerShell session.
Filter/Exclusion: Exclude processes initiated by the local administrator account or those running from the C:\Windows\System32\WindowsPowerShell\v1.0\ directory.
Scenario: A scheduled job is configured to run a PowerShell script that uses Get-Variable to check for specific variables during system maintenance.
Filter/Exclusion: Exclude events where the process is associated with a scheduled task, such as those under Task Scheduler or with a TaskName matching known maintenance tasks.
Scenario: A legitimate security tool, such as Microsoft Defender for Endpoint, uses PowerShell to query system variables as part of its monitoring or diagnostic routines.
Filter/Exclusion: Exclude processes with the parent process being msedge.exe or MsMpEng.exe, or those running under the Microsoft Defender for Endpoint service account.
Scenario: A DevOps pipeline runs a PowerShell script that uses Get-Variable to pass configuration variables between stages.
Filter/Exclusion: Exclude processes initiated from a known DevOps tool like Azure DevOps or GitHub Actions, or those running under a service account used for CI/CD pipelines.
Scenario: A user is troubleshooting a script and runs Get-Variable to inspect the current session’s variables, which is a common debugging practice.
Filter/Exclusion: Exclude events where the process is initiated by a user with the PowerShell executable and the command line includes Get-Variable as part of a script or interactive session.