persist via Get-Variable hijack

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: persist via Get-Variable hijack
    namespace: persistence/file-system
    authors:
      - j.j.vannielen@utwente.nl
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Persistence::Hijack Execution Flow [T1574]
    references:
      - https://www.threatdown.com/blog/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
  features:
    - and:
      - or:
        - match: copy file
        - match: move file
        - match: write file on Windows
      - string: /Microsoft\\WindowsApps\\Get-Variable.exe/i

last edited: 2024-12-03 16:26:03