Potential Suspicious Tampering With Built-In Environment Variables Via Setx.EXE

Rule Info

Name
Potential Suspicious Tampering With Built-In Environment Variables Via Setx.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects execution of the "setx.exe" utility in order to modify the value of the built-in environment variables to uncommon values. Attackers were seen modifying environment variable to different values in order to trick programs leveraging them to load or execute different things. This utility allows for the creation or modification of environment variables in the user or system environment, without requiring programming or scripting. The Setx command also retrieves the values of registry keys and writes them to text files.
Reference
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setx
Date
2024-05-02 00:00:00
Modified
None
Id
6a92153f-2c0b-4ce7-b2db-bb69ac588b69
Tags
attack.defense_evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022