Merge pull request #765 from anders-v/master

adding rules for vm detection through wmi calls to drive and motherbo…
mandiant · Jul 12, 2023 · c3da5ee · c3da5ee
2 parents 3a483a9 + 758bc4d
commit c3da5ee
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-VM-via-disk-hardware-WMI-queries.yml
@@ -0,0 +1,17 @@
+# generated using capa explorer for IDA Pro
+rule:
+  meta:
+    name: detect VM via disk hardware WMI queries 
+    namespace: anti-analysis/anti-vm/vm-detection
+    authors:
+      - [email protected]
+    scope: function
+    att&ck:
+      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
+    examples:
+      - 32B3678F8C29437E9EA10EAB10194F66:0x4035e0
+  features:
+    - and:
+      - string: "Win32_DiskDrive"
+      - string: "Model"
+      - string: "Virtual"
diff --git a/anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml b/anti-analysis/anti-vm/vm-detection/detect-VM-via-motherboard-hardware-WMI-queries.yml
@@ -0,0 +1,17 @@
+# generated using capa explorer for IDA Pro
+rule:
+  meta:
+    name: detect VM via motherboard hardware WMI queries
+    namespace: anti-analysis/anti-vm/vm-detection
+    authors:
+      - [email protected]
+    scope: function
+    att&ck:
+      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
+    examples:
+      - 32B3678F8C29437E9EA10EAB10194F66:0x4035e0
+  features:
+    - and:
+      - string: "Win32_BaseBoard"
+      - string: "Virtual"
+      - string: "Product"