rule Detect_AntiVMWithTemperature { meta: description = "Rue to detect AntiVMwithTemperature technique" author = "Thibault Seret" date = "2020-09-26" strings: $s1 = {72 6f 6f 74 5c 57 4d 49} // root\WMI $s2 = {53 45 4c 45 43 54 20 2a 20 46 52 4f 4d 20 4d 53 41 63 70 69 5f 54 68 65 72 6d 61 6c 5a 6f 6e 65 54 65 6d 70 65 72 61 74 75 72 65} // SELECT * FROM MSAcpi_ThermalZoneTemperature $s3 = {43 75 72 72 65 6e 74 54 65 6d 70 65 72 61 74 75 72 65} // CurrentTemperature condition: all of them }