Fingerprinting Emulator

Created the Monday 18 March 2019. Updated 4 years, 2 months ago.

Fingerprinting the AV emulator can allow the malware to detect the AV. For example, specific mutex can be used by the AV emulator, trying to detect it allow the sample to detect the AV.

Technique Identifier

U0513

Detection Rules

                                    title: Get antivirus details via WMIC query
status: experimental
description: Get antivirus details via WMIC query
author: Joe Security
date: 2020-03-27
id: 200069
threatname:
behaviorgroup: 5
classification: 8
mitreattack:

logsource:
      category: process_creation
      product: windows
detection:
      selection:
          CommandLine:
              -'*wmic * path antivirusproduct get displayname*'
      condition: selection
level: critical

Contributors

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

https://www.blackhat.com/docs/us-16/materials/us-16-Bulazel-AVLeak-Fingerprinting-Antivirus-Emulators-For-Advanced-Malware-Evasion.pdf