Detection rules › Sigma
Suspicious Environment Variable Has Been Registered
Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 13 | RegistryEvent (Value Set) |
Stages and Predicates
Stage 1: all of selection_main
TargetObject|contains: '\Environment\'
Stage 2: all of selection_details
or:
Details: powershell
Details: pwsh
Details|contains: 'C:\Users\Public\'
Details|contains: JAG4AdgBvAGsAZQAtA
Details|contains: JbnZva2Ut
Details|contains: SQBuAHYAbwBrAGUALQ
Details|contains: SW52b2tlL
Details|contains: TVoAAAAAAAAAAAAA
Details|contains: TVpQAAIAAAAEAA8A
Details|contains: TVpTAQEAAAAEAAAA
Details|contains: TVqAAAEAAAAEABAA
Details|contains: TVqQAAMAAAAEAAAA
Details|contains: '\AppData\Local\Temp\'
Details|contains: kAbgB2AG8AawBlAC0A
Details|contains: ludm9rZS
Details|startswith: H4sIA
Details|startswith: Qzpc
Details|startswith: R2V0
Details|startswith: SQBFAF
Details|startswith: SQBuAH
Details|startswith: SUVY
Details|startswith: Y21k
Details|startswith: Yzpc
Details|startswith: aQBlA
Details|startswith: aWV4
Details|startswith: cABhAH
Details|startswith: cwBhA
Details|startswith: dXNpbm
Details|startswith: dgBhA
Details|startswith: dmFy
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Details | eq |
|
Details | match |
|
Details | starts_with |
|
TargetObject | match |
|