Detecting Virtual Environment Process

Process related to Virtualbox can be detected by malware by query the process list.

The VMware Tools use processes like VMwareServices.exe or VMwareTray.exe, to perform actions on the virtual environment. A malware can list the process and searches for the VMware string. Process: VMwareService.exe, VMwareTray.exe, TPAutoConnSvc.exe, VMtoolsd.exe, VMwareuser.exe.

U1334

Detection Rules

rule:
  meta:
    name: check for windows sandbox via process name
    namespace: anti-analysis/anti-vm/vm-detection
    author: "@_re_fox"
    scope: function
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/LloydLabs/wsb-detect
    examples:
      - 773290480d5445f11d3dc1b800728966:0x140001140
  features:
    - and:
      - match: enumerate processes
      - string: CExecSvc.exe

Additional Resources

Subscribe to our Newsletter and don't miss important updates