anti-analysis/anti-vm/vm-detection
rule:
meta:
name: detect mouse movement via activity checks on Windows
namespace: anti-analysis/anti-vm/vm-detection
authors:
- tevajdr@gmail.com
description: Identifies code that analyzes mouse movement patterns to detect non-human/sandbox behavior
scopes:
static: function
dynamic: unsupported
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::User Activity Based Checks [T1497.002]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Human User Check [B0009.012]
references:
- https://evasions.checkpoint.com/src/Evasions/techniques/human-like-behavior.html#check-mouse-movement
- https://www.joesecurity.org/blog/5852460122427342172
examples:
- 5589857ba6ad8cd0893f4fbba774382222a573d20a2dd71b26b3b4d64f671301:0x401594 #VirusTotal
features:
- or:
- and:
- description: advanced mouse pattern analysis with vector/angle calculations
- api: user32.GetCursorPos
- or:
- api: winmm.timeGetTime
- api: kernel32.Sleep
- api: kernel32.GetTickCount
- api: kernel32.GetTickCount64
- api: kernel32.QueryPerformanceCounter
- or:
- api: msvcrt.acos
- api: msvcrt.sqrt
- api: msvcrt.atan2
- api: msvcrt.pow
- api: msvcrt.sin
- api: msvcrt.cos
- and:
- description: call to cursor position in a loop
- api: user32.GetCursorPos
- or:
- api: winmm.timeGetTime
- api: kernel32.Sleep
- api: kernel32.GetTickCount
- api: kernel32.GetTickCount64
- api: kernel32.QueryPerformanceCounter
- characteristic: loop
- and:
- description: mouse movement with button/event correlation check
- api: user32.GetCursorPos
- characteristic: loop
- or:
- api: user32.GetAsyncKeyState
- api: user32.GetKeyState
- api: user32.mouse_event
- api: user32.SetCursorPos
- api: user32.GetMousePointsEx
- or:
- api: kernel32.Sleep
- api: kernel32.GetTickCount
- api: winmm.timeGetTime
last edited: 2025-06-20 16:16:06