Setting Environment Variables From Registry Data Via Setx.EXE

Rule Info

Name
Setting Environment Variables From Registry Data Via Setx.EXE
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects execution of the "setx.exe" utility in order to set an environment variable with a value read from the registry. While this might be a common thing in certain environment, attackers might leverage this in order to read registry content in a sneaky way. This utility allows for the creation or modification of environment variables in the user or system environment, without requiring programming or scripting. The Setx command also retrieves the values of registry keys and writes them to text files.
Reference
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/setx
Date
2024-05-02 00:00:00
Modified
None
Id
acb4a630-ef6f-41b8-a0e2-2c1220195a90
Tags
attack.defense_evasion
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022