Evidence: Environment Variables
Description: Enumerate Environment Variables
Category: System
Platform: windows
Short Name: envvars
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Environment variables influence process behavior and can be abused for persistence or evasion. This data is essential for auditing process and registry-scoped variables.
Data Collected
This collector gathers structured data about environment variables.
Collection Method
This collector queries the current process environment and reads system/user environment values from registry across views and SIDs.
Forensic Value
This evidence is crucial for forensic investigations to detect suspicious variables, altered paths, and injected configuration.
