For those of you attending Black Hat Asia 2020, two members from FortiGuard Labs will be presenting on Friday, October 2nd.
Black Hat Asia 2020 (link to session abstract)
Invoke-AntiVM: A Powershell Module for VM Evasion
Location: Station 2
Date: Friday, October 2 | 12:00pm-1:00pm
Recently, attackers have been using living off the land tools such as Powershell and the community has developed a large arsenal based on it such as - just to mention a few - PowerSploit, Invoke-Mimikatz, Powerup, Nishang,Powershell Empire, Invoke-Obfuscation and recently Covenant.
With so many options available to attackers Windows has introduced advanced Powershell logging capabilities and the AMSI interface. This is not enough however because the attackers have started to use VM detections within their payload to thwart analysis, one needs to remember that powershell script logging only de-obfuscate the functions that have been executed.
Therefore we wrote a powershell module with a set of functions that an attacker or a pentester can import in their powershell implant to decide whether the target is a sandbox VM or possibly a real target. In addition to the techniques used in Nishang (Check-VM) which are mostly based on signatures of specific registry keys and process names, we have used a more general – and behavioral – approach which includes all the information from the OS including for example how many programs are installed, what screenshot is used, what network cards are installed, what is the history usage of certain applications such as explorer or word etc. etc.
------------------------------
Joe
------------------------------
[FirstName]