rule: meta: name: check for windows sandbox via registry namespace: anti-analysis/anti-vm/vm-detection author: "@_re_fox" scope: function att&ck: - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001] mbc: - Anti-Behavioral Analysis::Virtual Machine Detection [B0009] references: - https://github.com/LloydLabs/wsb-detect examples: - 773290480d5445f11d3dc1b800728966:0x140001140 features: - and: - api: RegOpenKeyEx - api: RegEnumValue - string: /\\Microsoft\\Windows\\CurrentVersion\\RunOnce/ - string: /wmic useraccount where \"name='WDAGUtilityAccount'\"/i