rule: meta: name: check for windows sandbox via device namespace: anti-analysis/anti-vm/vm-detection author: "@_re_fox" scope: basic block att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: - Anti-Behavioral Analysis::Virtual Machine Detection [B0009] references: - https://github.com/LloydLabs/wsb-detect examples: - 773290480d5445f11d3dc1b800728966:0x140001140 features: - and: - api: CreateFile - string: \\.\GLOBALROOT\device\vmsmb