Powershell Detect Virtualization Environment
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
Sigma rule (View on GitHub)
1title: Powershell Detect Virtualization Environment
2id: d93129cd-1ee0-479f-bc03-ca6f129882e3
3status: test
4description: |
5 Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
6 This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
7references:
8 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md
9 - https://techgenix.com/malicious-powershell-scripts-evade-detection/
10author: frack113, Duc.Le-GTSC
11date: 2021/08/03
12modified: 2022/03/03
13tags:
14 - attack.defense_evasion
15 - attack.t1497.001
16logsource:
17 product: windows
18 category: ps_script
19 definition: 'Requirements: Script Block Logging must be enabled'
20detection:
21 selection_action:
22 ScriptBlockText|contains:
23 - Get-WmiObject
24 - gwmi
25 selection_module:
26 ScriptBlockText|contains:
27 - MSAcpi_ThermalZoneTemperature
28 - Win32_ComputerSystem
29 condition: all of selection*
30falsepositives:
31 - Unknown
32level: medium
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- Disable System Firewall
- Suspicious IO.FileStream
- Suspicious Invoke-Item From Mount-DiskImage
- Suspicious Mount-DiskImage
- Suspicious Start-Process PassThru