anti-analysis/anti-vm/vm-detection

check for Windows sandbox via genuine state

rule:
  meta:
    name: check for Windows sandbox via genuine state
    namespace: anti-analysis/anti-vm/vm-detection
    authors:
      - "@_re_fox"
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/LloydLabs/wsb-detect
    examples:
      - 773290480d5445f11d3dc1b800728966:0x140001140
  features:
    - or:
      - and:
        # static
        - basic block:
          - and:
            - api: SLIsGenuineLocal
        - basic block:
          - and:
            - api: UuidFromString
            - string: "55c92734-d682-4d71-983e-d6ec3f16059f"
      - and:
        # dynamic
        - call:
          - and:
            - api: SLIsGenuineLocal
        - call:
          - and:
            - api: UuidFromString
            - string: "55c92734-d682-4d71-983e-d6ec3f16059f"

last edited: 2023-12-08 21:40:40