get COMSPEC environment variable

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: get COMSPEC environment variable
    namespace: host-interaction/environment-variable
    authors:
      - matthew.williams@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Discovery::System Information Discovery [T1082]
    mbc:
      - Operating System::Environment Variable [C0034]
    examples:
      - Practical Malware Analysis Lab 14-02.exe_:0x401880
  features:
    - and:
      - match: query environment variable
      - or:
        - string: "COMSPEC"
        - string: "%COMSPEC%"

last edited: 2023-11-24 10:35:00