rule: meta: name: execute anti-VM instructions namespace: anti-analysis/anti-vm/vm-detection author: moritz.raabe@fireeye.com scope: basic block att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: - Anti-Behavioral Analysis::Virtual Machine Detection::Instruction Testing [B0009.029] examples: - Practical Malware Analysis Lab 17-03.exe_:0x401A80 features: - or: - mnemonic: sdit - mnemonic: sgdt - mnemonic: sldt - mnemonic: smsw - mnemonic: str - mnemonic: in - mnemonic: cpuid - mnemonic: vpcext