Virtualization/Sandbox Evasion: User Activity Based Checks

Created the Monday 20 March 2023. Updated 1 year, 6 months ago.

Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks, browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro or waiting for a user to double click on an embedded image to activate

Technique Identifier

T1497.002

Technique Tags

Defense Evasion Discovery virtual machine environment (VME) sandbox monitor mouse clicks

Code Snippets

Description

The provided code is designed to differentiate between a sandbox environment and a genuine user workspace by monitoring user clicks and idle time. It achieves this by incrementing a click count variable upon detecting a left or right click, and comparing the elapsed idle time to a predefined maximum threshold. If the total number of clicks is below a specified minimum or the idle time surpasses the maximum limit, the code identifies the environment as a sandbox. Otherwise, it recognizes the presence of a legitimate user.

package main

import (
	"fmt"
	"syscall"
	"time"
)

var (
	user32           = syscall.NewLazyDLL("user32.dll")
	getAsyncKeyState = user32.NewProc("GetAsyncKeyState")
)

func evadeClicksCount() {
	// Increment variable when a click is detected
	var clickCount int
	// Set the minimal number of clicks to be detected
	var minimalClickCount = 10
	// Set the maximum idle time in seconds
	var maxIdleTime = 120
	var t time.Time = time.Now()

	for clickCount <= minimalClickCount {
		leftClick, _, _ := getAsyncKeyState.Call(uintptr(0x1))
		rightClick, _, _ := getAsyncKeyState.Call(uintptr(0x2))
		// Check if a click is detected
		if leftClick%2 == 1 || rightClick%2 == 1 {
			clickCount += 1
			t = time.Now()
		}

		if int(time.Since(t).Seconds()) > maxIdleTime {
			fmt.Println("Sandbox Detected !")
		}
	}
	fmt.Println("Legitimate user detected !")
}

func main() {
	evadeClicksCount()
}

About Author Open Snippet

Author: Edode / Target Platform: Windows

Description

This code snippet examines artifacts of typical human activity, focusing on Linux systems with Firefox installed. It checks for browser add-ons presence and browsing history to distinguish real users from sandbox or VM environments.

import json, sys, getpass, os, sqlite3

def parseExtensionsFile(path):
    with open(path) as f:
        data = json.load(f)

    uniqueExts = []
    for (i, x) in enumerate(data["addons"]):
        if x["name"] not in uniqueExts:
            uniqueExts.append(x["name"])

    if len(uniqueExts) > 0:
        print("[+] Extensions found! Possibly not a sandbox, continuing with checks...")
        print(f"[+] Discovered extensions: {uniqueExts}")
    else:
        print(f"[!] No extensions found! Possible sandbox: {uniqueExts}")

def findExtensionsFile():
    baseDir = "/home/" + getpass.getuser() + "/.mozilla/firefox/"
    print(f"[+] Searching {baseDir}")
    files = os.listdir(baseDir)
    for file in files:
        # "default-release" is typically the directory with all the juicy json & sqlite files
        if "default-release" in file: 
            print(f"[+] Searching {baseDir}{file} for addons json file...")
            fullDir = baseDir + file + "/addons.json"
            return fullDir

def checkSearchbarHistory(path):
    print(f"[+] Grabbing searchbar history from {path}...")
    conn = sqlite3.connect(path)
    cursor = conn.execute('''
    SELECT * FROM moz_formhistory
    ''')
    rows = cursor.fetchall()
    typedHist = []
    for row in rows:
        if "searchbar-history" in row:
            typedHist.append(row[2])

    if len(typedHist) > 0:
        print(f"[+] Typed searchbar history found! Potential user activity, possibly not a sandbox: {typedHist}")
    else:
        print(f"[!] No searchbar history found! Possible sandbox: {typedHist}")



if __name__ == '__main__':
    path = findExtensionsFile()
    parseExtensionsFile(path)

    # Building path to formhistory.sqlite file
    formPath = path.strip("addons.json") + "formhistory.sqlite"
    checkSearchbarHistory(formPath)

About Author Open Snippet

Author: Issac Briones (1d8) / Target Platform: Linux

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Virtualization/Sandbox Evasion: User Activity Based Checks, Sub-technique T1497.002 - Enterprise | MITRE ATT&CK®