
Detecting Virtual Environment Process
Process related to Virtualbox can be detected by malware by query the process list.
The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process: VMwareService.exe, VMwareTray.exe, TPAutoConnSvc.exe, VMtoolsd.exe, VMwareuser.exe.
Detection Rules
rule:
meta:
name: check for windows sandbox via process name
namespace: anti-analysis/anti-vm/vm-detection
author: "@_re_fox"
scope: function
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
references:
- https://github.com/LloydLabs/wsb-detect
examples:
- 773290480d5445f11d3dc1b800728966:0x140001140
features:
- and:
- match: enumerate processes
- string: CExecSvc.exe