detect VM via disk hardware WMI queries

edit on GitHub
search on VirusTotal

# generated using capa explorer for IDA Pro
rule:
  meta:
    name: detect VM via disk hardware WMI queries
    namespace: anti-analysis/anti-vm/vm-detection
    authors:
      - anders.vejlby@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023]
    examples:
      - 32B3678F8C29437E9EA10EAB10194F66:0x4035e0
  features:
    - and:
      - string: "Win32_DiskDrive"
      - string: "Model"
      - string: "Virtual"

last edited: 2023-11-24 10:34:28