GET /api/techniques/12/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 12,
"key": "detecting-virtual-environment-artefacts",
"unprotect_id": "U1332",
"name": "Detecting Virtual Environment Artefacts",
"description": "Qemu registers some artifacts into the registry. A malware can detect the Qemu installation with a look at the registry key `HARDWARE\\\\DEVICEMAP\\\\Scsi\\\\Scsi Port 0\\\\Scsi Bus 0\\\\Target Id 0\\\\Logical Unit Id 0` with the value of `Identifier` and the data of `QEMU` or `HARDWARE\\\\Description\\\\System` with a value of `SystemBiosVersion` and data of `QEMU`.\r\n\r\nThe VirtualBox Guest addition leaves many artifacts in the registry. A search for `VBOX` in the registry might find some keys.\r\n\r\nThe VMware installation directory `C:\\\\Program Files\\\\VMware\\\\VMware Tools` may also contain artifacts, as can the registry. A search for VMware in the registry might find some keys that include information about the virtual hard drive, adapters, and virtual mouse.\r\n\r\nVMware leaves many artefacts in memory. Some are critical processor structures, which, because they are either moved or changed on a virtual machine, leave recognisable footprints. Malware can search through physical memory for the strings VMware, commonly used to detect memory artifacts.",
"resources": "https://www.slideshare.net/ThomasRoccia/sandbox-evasion-cheat-sheet",
"creation_date": "2019-03-11T07:58:47Z",
"tags": "",
"modification_date": "2023-10-04T10:43:32.985000Z",
"category": [
1
],
"rules": [
17,
19,
32,
53
],
"attachments": [],
"featured_api": [],
"contributors": []
}
