Īstaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments. Adversaries may also query for specific readings from these devices. Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.Ĭhecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.
They may also search for VME artifacts before dropping secondary or additional payloads. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. Adversaries may employ various system checks to detect and avoid virtualization and analysis environments.
0 kommentar(er)
