System Checks

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

Specific checks may will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.

Checks could include generic system properties such as uptime and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.

Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/products fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions. In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.

Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.


In the following sample I will demonstrate a simple bat file that an adversary may create to do a simple System Check and if it finds a specific string VirtualBox it will terminate its execution but if not then it will continue and execute the malicious code.

Above you can see the simple scripting code, it will first run the systeminfo command, to grab all the information of the PC, it will save the info to a file and then will use the findstr command to search for certain strings in this case it will be VirtualBox then by using if/else this will help that if the string is found then it will NOT execute, but if not found then it will continue its execution.

In the Demo here you can see that it search for the VirtualBox string, this technique can be moved to finding programs like Debuggers or Hardware to stop the execution of the script. This is a simple demo on how these techniques can be pushed to find even more checks and be aware that we aren't running in a virtual environment.


Last updated