{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/windowsapps/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["persistence","powershell","windowsapps","colibri"],"_cs_type":"advisory","_cs_vendors":["Splunk"],"content_html":"\u003cp\u003eThis threat involves the hijacking of the PowerShell \u003ccode\u003eGet-Variable\u003c/code\u003e cmdlet to achieve persistence. Attackers place a malicious executable named \u003ccode\u003eGet-Variable.exe\u003c/code\u003e within the \u003ccode\u003eC:\\Users\\\u0026lt;user\u0026gt;\\AppData\\Local\\Microsoft\\WindowsApps\u003c/code\u003e folder, which is included in the system\u0026rsquo;s PowerShell path. When a PowerShell window is opened, including through scheduled tasks or other automated means, the malicious \u003ccode\u003eGet-Variable.exe\u003c/code\u003e is executed instead of the legitimate PowerShell cmdlet. This technique allows the attacker to run arbitrary code whenever a PowerShell session is initialized. This activity has been associated with the Colibri malware family. This technique is a stealthy way to maintain access to a compromised system, as the execution is triggered by a standard system process. Defenders need to monitor for unexpected executables running from within the WindowsApps directory to identify and prevent this form of persistence.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial compromise of the system through an unrelated vulnerability or credential theft.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the file system with sufficient privileges to write to the \u003ccode\u003eC:\\Users\\\u0026lt;user\u0026gt;\\AppData\\Local\\Microsoft\\WindowsApps\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eThe attacker drops a malicious executable named \u003ccode\u003eGet-Variable.exe\u003c/code\u003e into the \u003ccode\u003eWindowsApps\u003c/code\u003e folder, effectively hijacking the legitimate PowerShell cmdlet.\u003c/li\u003e\n\u003cli\u003eThe attacker creates or modifies a scheduled task that launches PowerShell.exe.\u003c/li\u003e\n\u003cli\u003eWhen the scheduled task triggers the PowerShell.exe execution, the system resolves \u003ccode\u003eGet-Variable\u003c/code\u003e to the malicious executable in the \u003ccode\u003eWindowsApps\u003c/code\u003e directory due to path precedence.\u003c/li\u003e\n\u003cli\u003eThe malicious \u003ccode\u003eGet-Variable.exe\u003c/code\u003e executes the attacker\u0026rsquo;s payload.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s payload performs malicious activities, such as establishing a reverse shell, downloading additional malware, or exfiltrating data.\u003c/li\u003e\n\u003cli\u003eThe attacker maintains persistent access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation leads to persistent access on the targeted system. The attacker can execute arbitrary code whenever a PowerShell window is opened, allowing them to perform various malicious activities, including data theft, ransomware deployment, or further propagation within the network. The Colibri malware, which has been associated with this technique, demonstrates the potential for significant compromise. The number of victims and specific sectors targeted vary depending on the attacker\u0026rsquo;s objectives.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for \u003ccode\u003eGet-Variable.exe\u003c/code\u003e executing from within the \u003ccode\u003eC:\\Users\\\u0026lt;user\u0026gt;\\AppData\\Local\\Microsoft\\WindowsApps\u003c/code\u003e directory using the Sigma rule \u003ccode\u003eDetect Get-Variable.exe Execution from WindowsApps\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eInvestigate any processes executing from the \u003ccode\u003eWindowsApps\u003c/code\u003e folder, as this is not a typical location for legitimate executables.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unsigned or untrusted executables from the \u003ccode\u003eWindowsApps\u003c/code\u003e directory.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging to capture the necessary events for the Sigma rules in this brief.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-get-variable-hijack/","summary":"Attackers can establish persistence by placing a malicious Get-Variable.exe in the WindowsApps folder, hijacking the legitimate PowerShell cmdlet and executing upon PowerShell window initialization, as seen with the Colibri malware.","title":"Get-Variable.exe Hijacking for Persistence","url":"https://feed.craftedsignal.io/briefs/2024-01-03-get-variable-hijack/"}],"language":"en","title":"CraftedSignal Threat Feed — Windowsapps","version":"https://jsonfeed.org/version/1.1"}