How Malware Exploits Windows Environment Variables for Stealth Attacks
Environment variables in Windows play a crucial role in storing information used by the operating system and various programs. These variables help configure system settings, define paths, and enable specific functionalities. Attackers can exploit these environment variables to execute malicious code or gain persistence in compromised systems.
Description
Scopes
On Windows, environment variables can be defined in three scopes:
- Machine (or System) scope: applies to all users | permanent
- User scope: applies to the current user only | permanent
- Process scope: applies to the currently running process (like a current powershell session) and its children | temporary
Management
PowerShell provides several different methods for using and managing environment variables.
- The variable syntax
- The Environment provider and Item cmdlets
- The .NET System.Environment class
When you change environment variables in PowerShell, the change affects only the current session like the set command in cmd. To change values in the Machine or User scopes, you must use the methods of the System.Environment class.
Common Windows Environment Variables
- ComSpec: Points to the command prompt executable
- APPDATA: Points to the current user’s Roaming profile directory
- LOCALAPPDATA: Points to the current user’s Local profile directory
- TEMP: Points to the temporary files directory
- ProgramData: Points to the application data folder that is shared among all users
The variable syntax
$Env:<variable-name>= "<new-value>" # to create/change
$Env:<variable-name> # to get the value
ls Env: # to list allUse the Environment provider and Item cmdlets
New-Item -Path Env:\<variable-name> -Value '<new-value>' # to create
Set-Item -Path Env:\<variable-name> -Value '<new-value>' # to change the value
Set-Item -Path Env:\<variable-name> # to get the value
Get-ChildItem Env: # to list allUse the System.Environment methods
[Environment]::SetEnvironmentVariable('<name>','<value>') # to create/change
[Environment]::GetEnvironmentVariable('<name>') # to get the value
[System.Environment]::GetEnvironmentVariables() # to list allImportance in Security and Forensics
Environment variables are not just system utilities but are also used by attackers to maintain persistence, evade detection, and execute malicious code. Security experts and forensic investigators rely on these variables to trace user activities, discover malware, and analyze system changes. For instance:
User Activity Tracing: By examining variables like %APPDATA%, investigators can uncover user-specific configurations and logs that provide insights into system usage.
Malware Persistence: Attackers often exploit variables such as %TEMP% or %APPDATA% to hide malicious files.
Also by altering %ComSpec%, attackers can ensure their malicious executable is run each time a command prompt is launched
Command Obfuscation: Environment variables are also used by attackers to obfuscate command execution. For example, a variable like %IAmClean% could point to a malicious payload that is executed without raising alarms.
Defense Strategies
Use Group Policy: Restrict the modification of environment variables like %ComSpec% to prevent unauthorized changes.
Monitor Environment Variables: Regularly check the integrity of critical environment variables to ensure they point to their legitimate locations using the list commands mentioned above.
Auditing and Logging: Enable auditing for changes to environment variables, which can help detect unauthorized modifications by attackers;
you can send them to your security tool SIEM/EDR to enhance visibility.
Conclusion
Environment variables, while integral to system functionality, are a double-edged sword. They provide essential configuration options but can also be manipulated by attackers to execute malicious code, evade detection, and persist on a compromised system. Understanding how to manage and secure environment variables is crucial in preventing and detecting such attacks.