
Summary
This detection rule targets the obfuscated use of Environment Variables in PowerShell scripts, particularly focusing on the execution of commands that leverage environment variables to execute malicious payloads or scripts. By monitoring the PowerShell command patterns, specifically those that involve setting environment variables with a command such as 'set <var_name> <value>', this rule identifies potential attempts to obfuscate command execution from security mechanisms. The key detection criterion involves utilizing regex to match command patterns that typically indicate an attempt to bypass security controls via obfuscation techniques. The rule captures these incidents under the assumption that the obfuscation serves a defense evasion purpose.
Categories
- Endpoint
- Windows
Data Sources
- Process
- Script
Created: 2020-10-15