rules/windows/powershell/powershell_script/powershell_detect_vm_env.yml

title: Powershell Detect Virtualization Environment
id: d93129cd-1ee0-479f-bc03-ca6f129882e3
status: experimental
author: frack113
date: 2021/08/03
modified: 2021/12/02
description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
    - https://techgenix.com/malicious-powershell-scripts-evade-detection/
tags:
    - attack.defense_evasion
    - attack.t1497.001
logsource:
    product: windows
    category: ps_script
    definition: EnableScriptBlockLogging must be set to enable
detection:
    selection_action:
        ScriptBlockText|contains: Get-WmiObject
    selection_module:
        ScriptBlockText|contains: 
            - MSAcpi_ThermalZoneTemperature
            - Win32_ComputerSystem
    condition: all of selection*
falsepositives:
    - Unknown
level: medium
$frack113$ add poweshell_detect_vm_env.yml 2021-08-03 08:30:26 +02:00			`title: Powershell Detect Virtualization Environment`
			`id: d93129cd-1ee0-479f-bc03-ca6f129882e3`
			`status: experimental`
			`author: frack113`
			`date: 2021/08/03`
feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*' 2021-12-02 14:30:09 +01:00			`modified: 2021/12/02`
Update poweshell_detect_vm_env.yml 2021-08-05 15:47:29 +02:00			`description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox`
$frack113$ add poweshell_detect_vm_env.yml 2021-08-03 08:30:26 +02:00			`references:`
			`- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md`
			`- https://techgenix.com/malicious-powershell-scripts-evade-detection/`
			`tags:`
			`- attack.defense_evasion`
			`- attack.t1497.001`
			`logsource:`
			`product: windows`
$frack113$ change to category: ps_script 2021-10-16 08:18:49 +02:00			`category: ps_script`
$frack113$ add poweshell_detect_vm_env.yml 2021-08-03 08:30:26 +02:00			`definition: EnableScriptBlockLogging must be set to enable`
			`detection:`
			`selection_action:`
			`ScriptBlockText\|contains: Get-WmiObject`
			`selection_module:`
			`ScriptBlockText\|contains:`
			`- MSAcpi_ThermalZoneTemperature`
			`- Win32_ComputerSystem`
feat: discourage the usage of 'all of them' and migrate existing rules to use the preferred method 'all of selection*' 2021-12-02 14:30:09 +01:00			`condition: all of selection*`
$frack113$ add poweshell_detect_vm_env.yml 2021-08-03 08:30:26 +02:00			`falsepositives:`
			`- Unknown`
Update poweshell_detect_vm_env.yml 2021-08-05 15:47:29 +02:00			`level: medium`