From f57bb708bb0ca7da3871ded56dd4e78ad0b95953 Mon Sep 17 00:00:00 2001 From: nNipsx <86789668+nNipsx-Sec@users.noreply.github.com> Date: Thu, 3 Mar 2022 11:04:26 +0700 Subject: [PATCH 1/3] Update another command line of Get-WmiObject (gwmi) --- .../powershell/powershell_script/posh_ps_detect_vm_env.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml index 331b1d12e..8ec1bdb03 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml @@ -17,7 +17,9 @@ logsource: definition: EnableScriptBlockLogging must be set to enable detection: selection_action: - ScriptBlockText|contains: Get-WmiObject + ScriptBlockText|contains: + - Get-WmiObject + - gwmi selection_module: ScriptBlockText|contains: - MSAcpi_ThermalZoneTemperature From 19ba2fe16c941b9c2b8d33bff1939fd558854043 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 3 Mar 2022 08:12:01 +0100 Subject: [PATCH 2/3] Update posh_ps_detect_vm_env.yml --- .../powershell/powershell_script/posh_ps_detect_vm_env.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml index 8ec1bdb03..11c36b0d5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml @@ -3,7 +3,7 @@ id: d93129cd-1ee0-479f-bc03-ca6f129882e3 status: experimental author: frack113 date: 2021/08/03 -modified: 2021/12/02 +modified: 2022/03/03 description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md From b43e37518e9854abb47751f6479f51bee98b4052 Mon Sep 17 00:00:00 2001 From: nNipsx <86789668+nNipsx-Sec@users.noreply.github.com> Date: Thu, 3 Mar 2022 14:34:13 +0700 Subject: [PATCH 3/3] update Author contribute --- .../powershell/powershell_script/posh_ps_detect_vm_env.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml index 11c36b0d5..0ce4802c0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml @@ -1,7 +1,7 @@ title: Powershell Detect Virtualization Environment id: d93129cd-1ee0-479f-bc03-ca6f129882e3 status: experimental -author: frack113 +author: frack113, Duc.Le-GTSC date: 2021/08/03 modified: 2022/03/03 description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox