(CAPA) CAPA_vm_registry

Download Raw 

rule:
  meta:
    name: check for windows sandbox via registry
    namespace: anti-analysis/anti-vm/vm-detection
    author: "@_re_fox"
    scope: function
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/LloydLabs/wsb-detect
    examples:
      - 773290480d5445f11d3dc1b800728966:0x140001140
  features:
    - and:
      - api: RegOpenKeyEx
      - api: RegEnumValue
      - string: /\\Microsoft\\Windows\\CurrentVersion\\RunOnce/
      - string: /wmic useraccount where \"name='WDAGUtilityAccount'\"/i

Associated Techniques

Technique Name Technique ID's Snippet(s) OS
Detecting Virtual Environment Artefacts U1332
Created

June 20, 2022

Last Revised

June 20, 2022