Skip to content

Commit

Permalink
fix get-variable hijack
Browse files Browse the repository at this point in the history
  • Loading branch information
@jorik-utwente
jorik-utwente committed Dec 2, 2024
1 parent d132d84 commit 1a77ae1
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion nursery/persist-via-get-variable-hijack.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,5 +13,8 @@ rule:
- https://www.threatdown.com/blog/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/
features:
- and:
- match: persist via host software binary compromise
- or:
- match: copy file
- match: move file
- match: write file on Windows
- string: /Microsoft\\WindowsApps\\Get-Variable.exe/i

0 comments on commit 1a77ae1

Please sign in to comment.