reference anti-VM strings

rule:
  meta:
    name: reference anti-VM strings
    namespace: anti-analysis/anti-vm/vm-detection
    authors:
      - moritz.raabe@mandiant.com
    scopes:
      static: file
      dynamic: file
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/ctxis/CAPE/blob/master/modules/signatures/antivm_*
      - https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp
    examples:
      - Practical Malware Analysis Lab 17-02.dll_
  features:
    - or:
      - string: /HARDWARE\\ACPI\\(DSDT|FADT|RSDT)\\BOCHS/i
      - string: /HARDWARE\\DESCRIPTION\\System\\(SystemBiosVersion|VideoBiosVersion)/i
      - string: /HARDWARE\\DESCRIPTION\\System\\CentralProcessor/i
      - string: /HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0/i
      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Enum\\IDE/i
      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Services\\Disk\\Enum\\/i
      - string: /SYSTEM\\(ControlSet\d{3}|CurrentControlSet)\\Control\\SystemInformation\\SystemManufacturer/i
      - string: /A M I/i
      - string: /Hyper-V/i
      - string: /Kernel-VMDetection-Private/i
      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L699
      - string: /KVMKVMKVM/i
        description: KVM
      - string: /Microsoft Hv/i
        description: Microsoft Hyper-V or Windows Virtual PC
      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L8
      - string: /avghookx\.dll/i
        description: AVG
      - string: /avghooka\.dll/i
        description: AVG
      - string: /snxhk\.dll/i
        description: Avast
      - string: /pstorec\.dll/i
        description: SunBelt Sandbox
      - string: /vmcheck\.dll/i
        description: Virtual PC
      - string: /wpespy\.dll/i
        description: WPE Pro
      - string: /cmdvrt64\.dll/i
        description: Comodo Container
      - string: /cmdvrt32\.dll/i
        description: Comodo Container
      # https://github.com/LordNoteworthy/al-khaser/blob/master/al-khaser/AntiVM/Generic.cpp#L46
      - string: /sample\.exe/i
      - string: /bot\.exe/i
      - string: /sandbox\.exe/i
      - string: /malware\.exe/i
      - string: /test\.exe/i
      - string: /klavme\.exe/i
      - string: /myapp\.exe/i
      - string: /testapp\.exe/i