What are environment variables
Regarding what is an environment variable, I have introduced it very clearly in this article
https://blog.csdn.net/qq_45894840/article/details/128622314?spm=1001.2014.3001.5502
expanding a bit here
env
env is the abbreviation of the English word environment. Its function is to display and define environment variables. We can get all the environment variable configurations of this machine by viewing env
ls env:\
You can see a lot of environment variable configurations here. If it is cmd, execute the following command to view all environment variables
set
Bypass Windows Defender and hide obfuscated behavior
We can also view the specified environment variables through env
echo $env:SYSTEMROOT
Then I replace T with ?
The environment variable can still be displayed normally, because env will search according to the environment variable table, similar to find -name "baimao*.exe", this command will search the current directory so the exe file containing the characters baimao
We can go one step further and use ? to replace characters
Any more will report an error due to parsing multiple environment variables
echo $env:S?????????
Add other folder names to the back, and the output content will also change
We can also use dir or ls or Get-ChildItem to view this folder
Get-ChildItem $env:S?????????\System32
ls $env:S?????????\System32
dir $env:S?????????\System32
The folder specified later can also be replaced by?
Get-ChildItem $env:S?????????\Sys?????
In order to narrow the scope, we'd better use to replace the characters, the usage of which has been introduced above
Get-ChildItem $env:S?????????\S*2
Now we want to pop up the calculator, we can use the following command
start $env:S?????????\S*2\c*lc.*
If we want to call schtasks.exe, we can use the following command
start $env:???t??r???\*2\??h???k?*
These methods are what I learned from reading an apt malware analysis report
https://www.securonix.com/blog/detecting-steepmaverick-new-covert-attack-campaign-targeting-military-contractors/
Attackers use this method to hide obfuscation and bypass Windows Defender