绕过虚拟化/沙盒

攻击者可能会检查是否存在虚拟机环境（VME）或沙箱，以避免潜在地检测到工具和活动。如果对手检测到VME，他们可能会更改其恶意软件以隐藏植入物的核心功能或与受害者分离。他们还可能在丢弃次要或其他有效载荷之前搜索VME工件。攻击者可能会在自动发现过程中使用从虚拟化/沙盒逃避中学到的信息来塑造后续行为。

攻击者可以通过搜索安全监视工具（例如Sysinternals，Wireshark等）来使用包括安全软件发现在内的多种方法来完成虚拟化/沙盒逃避，以帮助确定其是否为分析环境。其他方法包括在恶意软件代码中使用睡眠计时器或循环，以避免在临时沙箱中进行操作

Virtualization/Sandbox Evasion

Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information from learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

Adversaries may use several methods including Security Software Discovery to accomplish Virtualization/Sandbox Evasion by searching for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) to help determine if it is an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandboxes.

虚拟机环境工件发现

攻击者可能使用 Windows Management Instrumentation，PowerShell，Systeminfo和Query Registry之类的实用程序来获取系统信息并搜索VME工件。对手可能会在内存，进程，文件系统和/或注册表中搜索VME工件。攻击者可以使用脚本(T1064)将这些检查合并为一个脚本，然后在确定系统为虚拟环境时退出程序。而且，在VMWare之类的应用程序中，对手可以使用特殊的I / O端口发送命令并接收输出。对手也可能会检查驱动器的大小。例如，可以使用Win32 DeviceIOControl函数来完成。

注册表中的VME工件示例

• HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
• HKLM\HARDWARE\Description\System\"SystemBiosVersion";"VMWARE"
• HKLM\HARDWARE\ACPI\DSDT\BOX_

系统上的示例VME文件和DLL

• WINDOWS\system32\drivers\vmmouse.sys
• WINDOWS\system32\vboxhook.dll
• Windows\system32\vboxdisp.dll

常规检查可能枚举这些应用程序所独有的正在运行的服务，系统上已安装的程序，与虚拟机应用程序有关的字符串的制造商/产品字段以及特定于VME的硬件/处理器指令。

Adversaries may use utilities such as Windows Management Instrumentation，PowerShell，Systeminf and theQuery Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, and/or the Registry. Adversaries may use Scripting(T1064) to combine these checks into one script and then have the program exit if it determines the system to be a virtual environment. Also, in applications like VMWare, adversaries can use a special I/O port to send commands and receive output. Adversaries may also check the drive size. For example, this can be done using the Win32 DeviceIOControl function.

Example VME Artifacts in the Registry

• HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
• HKLM\HARDWARE\Description\System\"SystemBiosVersion";"VMWARE"
• HKLM\HARDWARE\ACPI\DSDT\BOX_

Example VME files and DLLs on the system

• WINDOWS\system32\drivers\vmmouse.sys
• WINDOWS\system32\vboxhook.dll
• Windows\system32\vboxdisp.dll

Common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions

用户活动发现

攻击者可以在主机上搜索用户活动（例如，浏览器历史记录，缓存，书签，主目录中的文件数等），以确保真实环境的安全。他们可能会通过用户交互和数字签名来检测此类信息。他们可能会让恶意软件检查鼠标单击的速度和频率，以确定是否是沙盒环境。在激活恶意代码之前，其他方法可能依赖于特定的用户与系统的交互。示例包括在激活宏之前等待文档关闭[以及等待用户双击嵌入式图像以激活。

Adversaries may search for user activity on the host (e.g., browser history, cache, bookmarks, number of files in the home directories, etc.) for reassurance of an authentic environment. They might detect this type of information via user interaction and digital signatures. They may have malware check the speed and frequency of mouse clicks to determine if it’s a sandboxed environment. Other methods may rely on specific user interaction with the system before the malicious code is activated. Examples include waiting for a document to close before activating a macro and waiting for a user to double click on an embedded image to activate

虚拟硬件指纹发现

攻击者可以检查系统的风扇和温度，以收集可以指示虚拟环境的证据。攻击者可以使用WMI查询执行CPU检查$q = "Select * from Win32_Fan" Get-WmiObject -Query $q。如果WMI查询的结果返回的元素多于零，则可能告诉他们该机器是一台物理机器。

Adversaries may check the fan and temperature of the system to gather evidence that can be indicative a virtual environment. An adversary may perform a CPU check using a WMI query $q = "Select * from Win32_Fan" Get-WmiObject -Query $q. If the results of the WMI query return more than zero elements, this might tell them that the machine is a physical one

标签

ID编号： T1497

策略： 防御闪避，披露

平台： Windows，macOS

数据源： 流程监视，流程命令行参数

绕过防御： 防病毒，主机取证分析，基于签名的检测，静态文件分析

缓解措施

这种攻击技术无法通过预防性控制轻松缓解，因为它基于滥用系统功能。

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

检测

虚拟化，沙箱和相关的发现技术可能会在操作的第一步中发生，但也可能会在对手学习环境时始终出现。数据和事件不应孤立地看待，而应作为行为链的一部分，根据所获得的信息，这些行为和行为可能导致其他活动，例如横向运动。根据对手的实施和所需的监控，检测与虚拟化和沙箱识别相关的动作可能很困难。监视生成的可疑进程，这些进程收集各种系统信息或执行其他形式的披露（尤其是在很短的时间内），可能有助于检测。

Virtualization, sandbox, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery(TA0007), especially in a short period of time, may aid in detection.