Potential Service Environment Variable Tampering

Rule Info

Name
Potential Service Environment Variable Tampering
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects modifications to service environment variables in the Windows registry that could indicate an attempt to tamper with system environment variables. This technique is often used for privilege escalation or persistence by modifying the `SystemRoot` or `windir` variables to point to malicious locations.
Reference
https://x.com/Wietze/status/1932030614418424131
Date
2025-06-17 00:00:00
Modified
None
Id
3be30fe2-e1ba-46b5-a3b5-8575df05bab0
Tags
attack.defense-evasion attack.privilege-escalation attack.persistence attack.t1574.007
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022