Atomic Red Team doc generator
105 lines
5.5 KiB
YAML
105 lines
5.5 KiB
YAML
---
|
|
attack_technique: T1497.001
|
|
display_name: 'Virtualization/Sandbox Evasion: System Checks'
|
|
atomic_tests:
|
|
- name: Detect Virtualization Environment (Linux)
|
|
auto_generated_guid: dfbd1a21-540d-4574-9731-e852bd6fe840
|
|
description: |
|
|
systemd-detect-virt detects execution in a virtualized environment.
|
|
At boot, dmesg stores a log if a hypervisor is detected.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: sh
|
|
elevation_required: true
|
|
command: |
|
|
if (systemd-detect-virt) then echo "Virtualization Environment detected"; fi;
|
|
if (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo "Virtualization Environment detected"; fi;
|
|
- name: Detect Virtualization Environment (FreeBSD)
|
|
auto_generated_guid: e129d73b-3e03-4ae9-bf1e-67fc8921e0fd
|
|
description: |
|
|
Detects execution in a virtualized environment.
|
|
At boot, dmesg stores a log if a hypervisor is detected.
|
|
supported_platforms:
|
|
- linux
|
|
executor:
|
|
name: sh
|
|
elevation_required: true
|
|
command: |
|
|
if [ "$(sysctl -n hw.hv_vendor)" != "" ]; then echo "Virtualization Environment detected"; fi
|
|
- name: Detect Virtualization Environment (Windows)
|
|
auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d
|
|
description: |
|
|
Windows Management Instrumentation(WMI) objects contains system information which helps to detect virtualization. This command will specifically attempt to get the CurrentTemperature value from this object and will check to see if the attempt results in an error that contains the word supported. This is meant to find the result of Not supported, which is the result if run in a virtual machine
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
$error.clear()
|
|
Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue
|
|
if($error) {echo "Virtualization Environment detected"}
|
|
cleanup_command: |
|
|
$error.clear()
|
|
- name: Detect Virtualization Environment via ioreg
|
|
auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09
|
|
description: |
|
|
ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software.
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
name: sh
|
|
elevation_required: false
|
|
command: |
|
|
if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo 'Virtualization Environment detected'; fi;
|
|
- name: Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)
|
|
auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78
|
|
description: |
|
|
Windows Management Instrumentation(WMI) objects contain system information which helps to detect virtualization. This test will get the model and manufacturer of the machine to determine if it is a virtual machine, such as through VMware or VirtualBox.
|
|
supported_platforms:
|
|
- windows
|
|
executor:
|
|
name: powershell
|
|
elevation_required: false
|
|
command: |
|
|
$Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Manufacturer"
|
|
$Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Model"
|
|
if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
|
|
- name: Detect Virtualization Environment using sysctl (hw.model)
|
|
auto_generated_guid: 6beae646-eb4c-4730-95be-691a4094408c
|
|
description: |
|
|
sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware
|
|
but will return the hypervisor name (VMware7,0).
|
|
Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
if [ "$(sysctl -n hw.model | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;
|
|
- name: Check if System Integrity Protection is enabled
|
|
auto_generated_guid: 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945
|
|
description: |
|
|
The latest versions of macOS have the System Integrity Protection feature (SIP). If a sandbox uses a non-signed
|
|
kernel extension for monitoring purposes the, SIP feature must be disabled to load this kind of kernel extension.
|
|
Malware may check if the SIP is enabled.
|
|
Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
if [ "$(csrutil status | grep -v 'enabled')" != "" ]; then echo 'Possible Virtualization Environment detected'; fi;
|
|
- name: Detect Virtualization Environment using system_profiler
|
|
auto_generated_guid: e04d2e89-de15-4d90-92f9-a335c7337f0f
|
|
description: |
|
|
system_profiler provides system hardware and software configuration and the Model Identifier should provide the value similar to (sysctl -n hw.model).
|
|
We should be able to find whether virtualization is enabled by checking whether the Model Identifier does not contain "Mac".
|
|
supported_platforms:
|
|
- macos
|
|
executor:
|
|
name: sh
|
|
command: |
|
|
if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier" | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;
|