rule: meta: name: check for windows sandbox via process name namespace: anti-analysis/anti-vm/vm-detection authors: - "@_re_fox" scope: function att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: - Anti-Behavioral Analysis::Virtual Machine Detection [B0009] references: - https://github.com/LloydLabs/wsb-detect examples: - 773290480d5445f11d3dc1b800728966:0x140001140 features: - and: - match: enumerate processes - string: "CExecSvc.exe"