-
Notifications
You must be signed in to change notification settings - Fork 160
System Related Checks
Specify a date in format mm/dd/yyyy on which the payload should execute. The payload checks the current date on the system, and if the date does not match the provided date, it will sleep for 24 hours and check again.
Example: Execute the payload on August 24th, 2017.
.\date_trigger.ps1 08/24/2017
Specify a minimize disk size requirement in gibibytes for the payload to run. The default value is 50 GB.
Example: Check that the disk is at least 100 GB in size.
.\disk_size.ps1 100
Checks all loaded DLLs in every accessible running process on the system against a set of known sandbox, malware-analysis, and debug-related DLLs. If any of the loaded DLLs match one of these known DLLs, the payload will not execute. This check accepts no arguments.
Example:
.\check_all_DLL_names.ps1
Ensures that the domain name of the system matches a user-specified string.
Example: Check that the computer belongs to the corp.mycompany.com domain.
.\domain.ps1 corp.mycompany.com
Checks certain filepaths for known files associated with sandboxes. If any of these files are found on the system, the payload will not execute. This check accepts no arguments.
Example:
.\filepath_existence.ps1
Ensures the hostname of the system matches a user-specified string.
Example: Check that the hostname of the system is Chris-PC070239
.\hostname.ps1 Chris-PC070239
Certain MAC addresses are indicative of a sandbox or virtual-machine environment. This check ensures that the MAC Address on the target system does not match any of those known addresses. This check accepts no arguments.
Example:
.\mac_address.ps1
Virtual machines, sandboxes, and seldom-used systems often have fewer running processes than active hosts. This check ensures that at least a user-specified number of processes are running on the system. The default value is 50 processes.
Example: Checks that more than 65 processes are running on the target system.
.\minimum_num_running_processes.ps1 65
Legitimate systems will likely have mounted several USB devices over their history. Windows 7 maintains a log of all USB devices ever mounted on the system in the HKEY_LOCAL_MACHINE hive, at HKEY_LOCAL_MACHINE\\SYSTEM\ControlSet001\Enum\USBSTOR. Each USB device ever mounted becomes its own subkey under USBSTOR`.
By counting the number of subkeys under USBSTOR, we can see how many USB devices have ever been mounted on the system. Note that this check does not work on Windows 10. The default value is 2.
Example: Check that at least 4 USB devices have ever been mounted on the system.
.\usb.ps1 4
This check makes sure at least two web browsers have been downloaded on the system. It currently checks for Chrome, Internet Explorer, and Firefox at their respective HKEY_LOCAL_MACHINE Registry paths. A less-commonly used system or sandbox environment may only have Internet Explorer. This check accepts no arguments.
Example:
.\minimum_num_browsers.ps1
A seldom used system or sandbox may not have added any custom entires to the default Microsoft Word dictionary (e.g. right clicking on an underlined word and clicking "Add to Dictionary"). This check requires a minimum number of words to have been added to the custom dictionary. The default value is 1.
Example: Make sure more than 2 words have been added to the Microsoft Word custom dictionary
.\msword_custom_dict_size.ps1 2
Checks all running processes on the system against a set of known sandbox, malware-analysis, and debugging-related process names. If any of the running processes match one of these known processes, the payload will not execute. This check accepts no arguments.
Example:
.\check_all_process_names.ps1
Requires a minimum number of processors to exist on the system.
Example: Require at least 3 processors to exist on the system.
.\processors.ps1 3
Requires the total amount of physical memory (RAM) on the system to exceed one gibibyte. This check accepts no arguments.
Example:
.\ram.ps1
Certain keys in the Registry only exist in virtual machines, and certain values in the Registry will have sandbox-indicative strings within them when in a virtual machine. This module enumerates those keys and values and searches for any indication of running in a virtual environment. This check accepts no arguments.
Example:
.\registry.ps1
As a system's usage grows over time, the size of its Registry tends to increase due to factors like downloading new software and creating new preferences. A small Registry may suggest the system is not often in use or only exists in a virtual environment dedicated to running malware. The default value is 55 MB.
Example: Ensure the Registry is at least 100 MB in size.
.\registry_size.ps1 100
In malware sandboxes, calls to sleep are hooked and accelerated so that the sandbox can perform dynamic analysis on the malware without having to wait for long periods of time. This module queries pool.ntp.org, a cluster of NTP servers, which serve as an external source of the current time.
This module queries the NTP cluster for the current time, then sleeps for a user-specified number of seconds. After sleeping, the module queries the NTP cluster again for the current time. If no sleep acceleration exists on the system, then the difference in elapsed times between the two queries will be at least as long as the sleep duration. Otherwise, sleep acceleration exists, in which the malware is almost certainly running in a sandbox.
Example: Check if a sleep call for 30 seconds is accelerated.
.\sleep_acceleration.ps1 30
Some sandboxes run in UTC timezones by default. This module checks to make sure the target environment does not. This check accepts no arguments.
Example:
.\utc.ps1
Seldom used systems likely will not have as many Windows updates installed as systems with greater usage. The default number of updates to check for is 50.
Example: Check that at least 120 Windows updates have been installed.
.\windows_updates.ps1