Skip to content

Hide Navigation Hide TOC

Suspicious Get-Variable.exe Creation (0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b)

Get-Variable is a valid PowerShell cmdlet WindowsApps is by default in the path where PowerShell is executed. So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.

Cluster A Galaxy A Cluster B Galaxy B Level
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Suspicious Get-Variable.exe Creation (0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b) Sigma-Rules 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Suspicious Get-Variable.exe Creation (0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b) Sigma-Rules 1