Powershell Detect Virtualization Environment

 1title: Powershell Detect Virtualization Environment
 2id: d93129cd-1ee0-479f-bc03-ca6f129882e3
 3status: test
 4description: |
 5    Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
 6    This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox    
 7references:
 8    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md
 9    - https://techgenix.com/malicious-powershell-scripts-evade-detection/
10author: frack113, Duc.Le-GTSC
11date: 2021-08-03
12modified: 2022-03-03
13tags:
14    - attack.defense-evasion
15    - attack.t1497.001
16logsource:
17    product: windows
18    category: ps_script
19    definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21    selection_action:
22        ScriptBlockText|contains:
23            - Get-WmiObject
24            - gwmi
25    selection_module:
26        ScriptBlockText|contains:
27            - MSAcpi_ThermalZoneTemperature
28            - Win32_ComputerSystem
29    condition: all of selection*
30falsepositives:
31    - Unknown
32level: medium

References

• atomic-red-team/atomics/T1497.001/T1497.001.md at f339e7da7d05f6057fdfcdd3742bfcf365fee2a9 · redcanaryco/atomic-red-team

  

  Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team

  
  Read More

• https://techgenix.com/malicious-powershell-scripts-evade-detection/

  
  Read More

Related rules

• System Information Discovery Via Sysctl - MacOS
• AD Object WriteDAC Access
• ADS Zone.Identifier Deleted By Uncommon Application
• AMSI Bypass Pattern Assembly GetType
• APT PRIVATELOG Image Load Pattern