From 85c98af00901e5dcded5227f0f2bbecf1ff18a6d Mon Sep 17 00:00:00 2001
From: frack113 <62423083+frack113@users.noreply.github.com>
Date: Sat, 23 Apr 2022 18:29:58 +0200
Subject: [PATCH] Add file_event_win_susp_get_variable

---
 .../file_event_win_susp_get_variable.yml      | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 rules/windows/file_event/file_event_win_susp_get_variable.yml

diff --git a/rules/windows/file_event/file_event_win_susp_get_variable.yml b/rules/windows/file_event/file_event_win_susp_get_variable.yml
new file mode 100644
index 000000000..e61a1c3cb
--- /dev/null
+++ b/rules/windows/file_event/file_event_win_susp_get_variable.yml
@@ -0,0 +1,28 @@
+title: Suspicious Get-Variable.exe creation 
+id: 0c3fac91-5627-46e8-a6a8-a0d7b9b8ae1b
+status: experimental
+description: |
+  Get-Variable is a valid PowerShell cmdlet
+  WindowsApps is by default in the path where PowerShell is executed.
+  So when the Get-Variable command is issued on PowerShell execution, the system first looks for the Get-Variable executable in the path and executes the malicious binary instead of looking for the PowerShell cmdlet.
+author: frack113
+references:
+  - https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
+  - https://www.joesandbox.com/analysis/465533/0/html
+date: 2022/04/23
+logsource:
+  product: windows
+  category: file_event
+detection:
+  selection:
+    TargetFilename|endswith: 'Local\Microsoft\WindowsApps\Get-Variable.exe'
+  condition: selection 
+falsepositives:
+  - Unknown
+level: high
+tags:
+  - attack.persistence
+  - attack.t1546
+  - attack.defense_evasion
+  - attack.t1027
+