query environment variable

edit on GitHub
search on VirusTotal
rule:
  meta:
    name: query environment variable
    namespace: host-interaction/environment-variable
    authors:
      - michael.hunhoff@mandiant.com
      - "@_re_fox"
    scopes:
      static: function
      dynamic: call
    att&ck:
      - Discovery::System Information Discovery [T1082]
    mbc:
      - Discovery::System Information Discovery [E1082]
    examples:
      - Practical Malware Analysis Lab 14-02.exe_:0x401880
      - 0761142efbda6c4b1e801223de723578:0x65483490
  features:
    - or:
      - api: kernel32.GetEnvironmentVariable
      - api: kernel32.GetEnvironmentStrings
      - api: kernel32.ExpandEnvironmentStrings
      - api: msvcr90.getenv
      - api: msvcrt.getenv
      - api: System.Environment::GetEnvironmentVariable
      - api: System.Environment::GetEnvironmentVariables
      - api: System.Environment::ExpandEnvironmentVariables
last edited: 2023-11-24 10:34:28