(CAPA) CAPA_vm_instruction

Download Raw

rule:
  meta:
    name: execute anti-VM instructions
    namespace: anti-analysis/anti-vm/vm-detection
    author: moritz.raabe@fireeye.com
    scope: basic block
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing [B0009.029]
    examples:
      - Practical Malware Analysis Lab 17-03.exe_:0x401A80
  features:
    - or:
      - mnemonic: sdit
      - mnemonic: sgdt
      - mnemonic: sldt
      - mnemonic: smsw
      - mnemonic: str
      - mnemonic: in
      - mnemonic: cpuid
      - mnemonic: vpcext

Associated Techniques