title: Powershell Detect Virtualization Environment
author: frack113
date: 2021/08/03
description: Adversaries may employ various system checks to detect and avoid virtualization
    and analysis environments. This may include changing behaviors based on the results
    of checks for the presence of artifacts indicative of a virtual machine environment
    (VME) or sandbox
detection:
    SELECTION_1:
        ScriptBlockText: '*Get-WmiObject*'
    SELECTION_2:
        ScriptBlockText: '*MSAcpi_ThermalZoneTemperature*'
    SELECTION_3:
        ScriptBlockText: '*Win32_ComputerSystem*'
    condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- Unknown
id: d93129cd-1ee0-479f-bc03-ca6f129882e3
level: medium
logsource:
    category: ps_script
    definition: EnableScriptBlockLogging must be set to enable
    product: windows
modified: 2021/10/16
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
- https://techgenix.com/malicious-powershell-scripts-evade-detection/
status: experimental
tags:
- attack.defense_evasion
- attack.t1497.001
yml_filename: powershell_detect_vm_env.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/powershell/powershell_script