(YARA) YARA_Detect_AntiVMWithTemperature

rule Detect_AntiVMWithTemperature {
    meta:
        description = "Rue to detect AntiVMwithTemperature technique"
        author = "Thibault Seret"
        date = "2020-09-26"
    strings:
        $s1 = {72 6f 6f 74 5c 57 4d 49}
        // root\WMI
        $s2 = {53 45 4c 45 43 54 20 2a 20 46 52 4f 4d 20 4d 53 41 63 70 69 5f 54 68 65 72 6d 61 6c 5a 6f 6e 65 54 65 6d 70 65 72 61 74 75 72 65}
        // SELECT * FROM MSAcpi_ThermalZoneTemperature
        $s3 = {43 75 72 72 65 6e 74 54 65 6d 70 65 72 61 74 75 72 65}
        //  CurrentTemperature
    
    condition:
    all of them
}

Associated Techniques

No associated technique found so far.

Created

June 20, 2022

Last Revised

November 5, 2024