operation blackout 2025: phantom check

	Released	2025-06-06
	Retired	2025-06-06
	Author	iamr007

Scenario

Talion suspects that the threat actor carried out anti-virtualization checks to avoid detection in sandboxed environments. Your task is to analyze the event logs and identify the specific techniques used for virtualization detection. Byte Doctor requires evidence of the registry checks or processes the attacker executed to perform these checks.

Task 01

Question: Which WMI class did the attacker use to retrieve model and manufacturer information for virtualization detection?

Two .evtx files are available for analysis in this case, providing logging information related to PowerShell usage.

Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
------          4/9/2025  11:24 AM        1118208 Microsoft-Windows-Powershell.evtx
------          4/9/2025  11:24 AM       15798272 Windows-Powershell-Operational.evtx

To gain a better overview, Hayabusa can be used to pre-filter and highlight important and relevant logs. After successful execution of hayabusa.exe json-timeline -U -d . -o hayabusa.json the resulting JSON timeline can be used to answer questions and gain an overview.

According to the task, the attacker did use a WMI (Windows Management Instrumentation) query to gather system information in order to determine whether the current environment is a virtual machine. To simplify the search, Hayabusa’s default rule set can be used to filter the available logging events. Specifically, the Powershell Detect Virtualization Environment rule highlights exactly these suspicious calls from the available PowerShell logs.

{
    "Timestamp": "2025-04-09 09:19:09.226 +00:00",
    "RuleTitle": "Powershell Detect Virtualization Environment",
    "Level": "med",
    "Computer": "DESKTOP-M3AKJSD",
    "Channel": "PwSh",
    "EventID": 4104,
    "RecordID": 2893,
    "Details": {
        "ScriptBlock": "$Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty \"Manufacturer\""
    },
    "ExtraFieldInfo": {
        "MessageNumber": 1,
        "MessageTotal": 1,
        "Path": "",
        "ScriptBlockId": "293a0637-1894-4f0e-835c-08c726623ace"
    },
    "RuleID": "654b7573-5b04-0352-d832-f32c333f4a56"
}

Starting at 2025-04-09 09:19:09 there have been 3 consecutive usages of the Get-WmiObject Cmdlet to query the system for this information, looking for the Manufacturer and Model from the Win32_ComputerSystem class and another one which will be the answer to the next task.

Answer: Win32_ComputerSystem

Task 02

Question: Which WMI query did the attacker execute to retrieve the current temperature value of the machine?

As previously mentioned, Hayabusa can be used to identify the third suspicious call of the Get-WmiObject cmdlet, which is used to gather information about the system. In this case, the attacker queried the temperature of the machine - another well-known (somewhat unreliable) method to determine whether the current system is a virtual environment.

{
    "Timestamp": "2025-04-09 09:20:11.862 +00:00",
    "RuleTitle": "Powershell Detect Virtualization Environment",
    "Level": "med",
    "Computer": "DESKTOP-M3AKJSD",
    "Channel": "PwSh",
    "EventID": 4104,
    "RecordID": 2971,
    "Details": {
        "ScriptBlock": "Get-WmiObject -Query \"SELECT * FROM MSAcpi_ThermalZoneTemperature\" -ErrorAction SilentlyContinue"
    },
    "ExtraFieldInfo": {
        "MessageNumber": 1,
        "MessageTotal": 1,
        "Path": "",
        "ScriptBlockId": "5bede686-4917-4326-ab5e-ccd7fba2662c"
    },
    "RuleID": "654b7573-5b04-0352-d832-f32c333f4a56"
}

Answer: SELECT * FROM MSAcpi_ThermalZoneTemperature

Task 03

Question: The attacker loaded a PowerShell script to detect virtualization. What is the function name of the script?

To identify additional malicious PowerShell scripts and any functions defined within them, the Malicious PowerShell Keywords rule can be used to narrow down suspicious script blocks. One of the script blocks found through this rule (at 2025-04-09 09:20:53) indeed contains a function that implements the VM detection capability described in the task.

function Check-VM {

    <# 
.SYNOPSIS 
Nishang script which detects whether it is in a known virtual machine.
 
.DESCRIPTION 
This script uses known parameters or 'fingerprints' of Hyper-V, VMWare, Virtual PC, Virtual Box,
Xen and QEMU for detecting the environment.

.EXAMPLE 
PS > Check-VM
 
.LINK 
http://www.labofapenetrationtester.com/2013/01/quick-post-check-if-your-payload-is.html
https://github.com/samratashok/nishang

.NOTES 
The script draws heavily from checkvm.rb post module from msf.
https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/checkvm.rb
#> 
[...]

In addition to its actual unobfuscated functionality, the function includes its full header: SYNOPSIS, along with a link, example, and description. This allows the script to be attributed to the open-source offensive security, penetration testing and red teaming framework Nishang.

Answer: Check-VM

Task 04

Question: Which registry key did the above script query to retrieve service details for virtualization detection?

As part of the previously identified script, five calls can be found to a well-known registry key (Services), which contains and stores information about each service on the system.

[...]
$hyperv = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
[...]
$vmware = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
[...]
$vpc = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
[...]
$vb = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
[...]
$xen = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services

After each of these queries, a comparison is made against various fixed strings to identify known VM tools and thereby conclude whether the current system is a virtual machine.

Answer: HKLM:\SYSTEM\ControlSet001\Services

Task 05

Question: The VM detection script can also identify VirtualBox. Which processes is it comparing to determine if the system is running VirtualBox?

In addition to the string comparisons against the registry entry from the last task, several other comparisons are made for each VM technology to be identified. One of these comparisons looks for processes related to VirtualBox. The corresponding script section therefore shows the processes that are being searched for here.

[...]
#Virtual Box

$vb = Get-Process
if (($vb -eq "vboxservice.exe") -or ($vb -match "vboxtray.exe"))
{
    $vbvm = $true
}
[...]

Answer: vboxservice.exe, vboxtray.exe

Task 06

Question: The VM detection script prints any detection with the prefix ‘This is a’. Which two virtualization platforms did the script detect?

Module logging will log Event ID 4103 to the Microsoft-Windows-PowerShell/Operational event log and this event includes the cmdlet name and output.

{
    "Timestamp": "2025-04-09 09:20:57.277 +00:00",
    "RuleTitle": "PwSh Pipeline Exec",
    "Level": "info",
    "Computer": "DESKTOP-M3AKJSD",
    "Channel": "PwSh",
    "EventID": 4103,
    "RecordID": 3105,
    "Details": {
        "Payload": "CommandInvocation(Out-Default): \"Out-Default\"\\r\\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"This is a Hyper-V machine.\"\\r\\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"This is a VMWare machine.\"\\r\\n"
    },
[...]

In the case of the present artifacts and the executed script, the output can be recognized as This is a Hyper-V machine. and This is a VMWare machine..

Answer: Hyper-V, VMWare