anti-analysis/anti-vm/vm-detection
rule:
meta:
name: check for sandbox via MAC address OUIs in .NET
namespace: anti-analysis/anti-vm/vm-detection
authors:
- jonathanlepore@google.com
description: detects sandbox detection via mac address organizationally unique identifiers (OUIs). Based off publicly available CSharpShooter/CheckPlease.cs
scopes:
static: function
dynamic: unsupported
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
references:
- https://github.com/mdsecactivebreach/SharpShooter/blob/9aea0b7a723b61c01c21f1e4b55409edf39a5a3b/CSharpShooter/CheckPlease.cs
features:
- and:
- format: dotnet
- basic block:
- and:
- 3 or more:
- string: /00[:-]?0c[:-]?29/i
- string: /00[:-]?1c[:-]?14/i
- string: /00[:-]?50[:-]?56/i
description: VMware OUIs
- string: /08[:-]?00[:-]?27/i
description: PCS Systemtechnik GmbH OUI, potentially related to VirtualBox
- api: System.Net.NetworkInformation.NetworkInterface::GetPhysicalAddress
- api: System.Net.NetworkInformation.NetworkInterface::GetAllNetworkInterfaces
last edited: 2023-11-24 10:35:03