Open andreisss opened 3 years ago
williballenthin
commented
3 years ago nice idea!
i think we should tweak the rule a bit to detect the known constants related to hardware vendors. otherwise, the rule boils down to just UuidCreateSequential which is a little loose.
then, we'll have to find a good example of this in the wild. maybe hunting in VT can yield one.
andreisss
commented
3 years ago Thanks. Agree.
Maybe also something similar this. Just an idea.
rule:
meta:
name: Identifying virtual environments via mac address
namespace: anti-analysis/anti-vm/vm-detection
author: andrea
scope: basic block
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check
references:
- https://nakedsecurity.sophos.com/2016/12/13/nymaim-using-mac-addresses-to-uncover-virtual-environments-and-bypass-antivirus
features:
- and:
- mnemonic: cmp
- or:
- string: mac$ # Dell Inc.
- string: mac$ # VMware
- string: mac$ # VMware
- string: mac$ # VMware, Inc.
- string: mac$ # VMware, Inc.
- string: mac$ # Hyper V
- string: mac$ # PCS Systemtechnik GmbH (VirtualBox)
- string: mac$ # Microsoft Corporation
- string: mac$ # Parallels, Inc
- string: mac$ # Xen, Inc
- optional:
- api: UuidCreateSequential
Ana06
commented
3 years ago Great ideas @andreisss!
Tip: You can use descriptions in rules like this: - string: mac$ = VMware, Inc.. This way they are rendered in the output :bowtie:
andreisss
commented
3 years ago Thanks for your feedback. 👍
williballenthin
commented
3 years ago @andreisss if i can find an example binary or two, would you be willing to draft the PR for this rule?
andreisss
commented
3 years ago @andreisss if i can find an example binary or two, would you be willing to draft the PR for this rule?
yes, it will be really nice for me if I can get this new rule working. thx
andreisss
commented
3 years ago This was my test. Sample is available here: https://app.any.run/tasks/d1b0216f-47d3-433f-85bc-7ddaf4e8477e/#
I was following also this link https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/ (real example with gootkit banking trojan)
My local test with the rule.
rule:
meta:
name: The funcion may contains a list of MAC address used to detect sandboxes or VMs.
namespace: anti-analysis/anti-vm/vm-detection
author: andreabocchetti88@gmail.com
scope: function
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check
references:
- https://nakedsecurity.sophos.com/2016/12/13/nymaim-using-mac-addresses-to-uncover-virtual-environments-and-bypass-antivirus
- https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/
examples:
- c342af62302936720e52679bc431d5a8
features:
- and:
- mnemonic: cmp
- or:
- number: 0xF01FAF00
description: Dell Inc.
- number: 0x00505600
description: VMware, Inc.
- number: 0x000C2900
description: VMware, Inc.
- number: 0x0003FF00
description: Microsoft
- number: 0x001C4200
description: Parallels
- number: 0x00163E00
description: XenSource
- number: 0x8002700
description: PCS System Technology GmbH
- optional:
- api: UuidCreateSequential
mr-tz
commented
3 years ago Very cool, some minor tweaks in the rule below:
I haven't tested this on the example, with the correct offset (see -vv output) this could go straight into the rule corpus! 🎉
Thank you!
rule:
meta:
name: detect VM using MAC address identifiers
namespace: anti-analysis/anti-vm/vm-detection
author: andreabocchetti88@gmail.com
scope: function
att&ck:
- Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
mbc:
- Anti-Behavioral Analysis::Virtual Machine Detection::Unique Hardware/Firmware Check
references:
- https://nakedsecurity.sophos.com/2016/12/13/nymaim-using-mac-addresses-to-uncover-virtual-environments-and-bypass-antivirus
- https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/
examples:
- c342af62302936720e52679bc431d5a8
features:
- and:
- mnemonic: cmp
- or:
- number: 0xF01FAF00
description: Dell Inc.
- number: 0x00505600
description: VMware, Inc.
- number: 0x000C2900
description: VMware, Inc.
- number: 0x00056900
description: VMware, Inc.
- number: 0x0003FF00
description: Microsoft
- number: 0x001C4200
description: Parallels
- number: 0x00163E00
description: XenSource
- number: 0x8002700
description: PCS System Technology GmbH
- optional:
- api: UuidCreateSequential
Hello,
Could be interesting maybe include vm detection using mac address api call like "UuidCreateSequential"
Suggestion link:
https://nakedsecurity.sophos.com/2016/12/13/nymaim-using-mac-addresses-to-uncover-virtual-environments-and-bypass-antivirus