This anomaly detects potential persistence via hijacking the PowerShell Get-Variable cmdlet by placing a Get-Variable.exe in the WindowsApps folder (a location referenced by the PowerShell path). When a PowerShell session is started (including those launched by a scheduled task), the malicious Get-Variable.exe may execute, enabling attacker persistence or execution of arbitrary commands. The technique aligns with MITRE ATT&CK T1574.008 (Hijack Execution Flow) and has been associated with Colibri malware. The rule relies on endpoint telemetry to identify process creations where the process_path matches the WindowsApps Get-Variable.exe entry, and correlates with parent processes indicative of PowerShell or scheduled task activity. Implementations typically ingest Sysmon Event ID 1, Windows Event Log 4688, and third-party EDR process rollups, normalize data to the Endpoint Processes model, and query for anomalous execution from the WindowsApps folder. The rule supports triage by examining process GUIDs, command lines, parent process names, user context, and timing to differentiate legitimate tooling from abuse. Drilldowns enable viewing results by user/destination and correlating risk events with historical context.