Powershell Detect Virtualization Environment
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
Sigma rule (View on GitHub)
1title: Powershell Detect Virtualization Environment
2id: d93129cd-1ee0-479f-bc03-ca6f129882e3
3status: test
4description: |
5 Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
6 This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md
9 - https://techgenix.com/malicious-powershell-scripts-evade-detection/
10author: frack113, Duc.Le-GTSC
11date: 2021-08-03
12modified: 2022-03-03
13tags:
14 - attack.discovery
15 - attack.defense-evasion
16 - attack.t1497.001
17logsource:
18 product: windows
19 category: ps_script
20 definition: 'Requirements: Script Block Logging must be enabled'
21detection:
22 selection_action:
23 ScriptBlockText|contains:
24 - Get-WmiObject
25 - gwmi
26 selection_module:
27 ScriptBlockText|contains:
28 - MSAcpi_ThermalZoneTemperature
29 - Win32_ComputerSystem
30 condition: all of selection*
31falsepositives:
32 - Unknown
33level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- System Information Discovery Via Sysctl - MacOS
- System Information Discovery Using System_Profiler
- HackTool - SharpUp PrivEsc Tool Execution
- Hacktool Ruler
- Operation Wocao Activity