some legitimate scripts and system maintenance tools may use substring extraction from environment variables for dynamic command construction. review and whitelist authorized scripts to reduce false positives.

Techniques

T1027.010

Sample rules

Windows Command Obfuscation with Environment Variable Substrings

source: splunk
technicques:
- T1027.010

Description

Detects command obfuscation by using a technique to build a target command using character indexes from environment variables. This hides the true intent of the command by building it on the fly. In Windows command prompt, you can use the :~ format to extract substrings from environment variable values. This behavior has been observed in various malware families, including Cobalt Strike and Meterpreter.

Detection logic


| tstats `security_content_summariesonly`
  count min(_time) as firstTime
        max(_time) as lastTime

from datamodel=Endpoint.Processes where

Processes.process="*%%*:~*,*"

by Processes.process Processes.vendor_product Processes.user_id Processes.process_hash
   Processes.parent_process_name Processes.parent_process_exec Processes.action
   Processes.dest Processes.process_current_directory Processes.process_path
   Processes.process_integrity_level Processes.original_file_name
   Processes.parent_process Processes.parent_process_path
   Processes.parent_process_guid Processes.parent_process_id
   Processes.process_guid Processes.process_id
   Processes.user Processes.process_name


| `drop_dm_object_name(Processes)`

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_command_obfuscation_with_environment_variable_substrings_filter`