anti-analysis/anti-vm/vm-detection
# generated using capa explorer for IDA Pro
rule:
meta:
name: detect VM via disk hardware WMI queries
namespace: anti-analysis/anti-vm/vm-detection
authors:
- anders.vejlby@mandiant.com
scopes:
static: function
dynamic: thread
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check [B0009.023]
examples:
- 32B3678F8C29437E9EA10EAB10194F66:0x4035e0
features:
- and:
- string: "Win32_DiskDrive"
- string: "Model"
- string: "Virtual"
last edited: 2023-11-24 10:34:28