Adversaries may use anti-sandbox checks to detect virtual environments like Joe Sandbox and avoid analysis, indicating potential evasion of detection mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate threats that could bypass traditional sandboxing and analysis tools.
YARA Rule
rule antisb_joesanbox {
meta:
author = "x0r"
description = "Anti-Sandbox checks for Joe Sandbox"
version = "0.1"
strings:
$p1 = "Software\\Microsoft\\Windows\\CurrentVersion" nocase
$c1 = "RegQueryValue"
$s1 = "55274-640-2673064-23950"
condition:
all of them
}This YARA rule can be deployed in the following contexts:
This rule contains 3 string patterns in its detection logic.
Scenario: Scheduled system integrity checks using Sysinternals Process Explorer or Windows Defender
Filter/Exclusion: process.name != "ProcessExplorer.exe" AND process.name != "WindowsDefender.exe"
Scenario: Administrative task to update Joe Sandbox configuration via PowerShell or Task Scheduler
Filter/Exclusion: process.name != "powershell.exe" OR process.args NOT LIKE '%JoeSandbox%'
Scenario: Automated log analysis job using LogParser or ELK stack that accesses Joe Sandbox logs
Filter/Exclusion: process.name != "LogParser.exe" AND process.name != "logstash"
Scenario: System cleanup task using CCleaner or Disk Cleanup that temporarily accesses sandbox-related files
Filter/Exclusion: process.name != "CCleaner.exe" AND process.name != "cleanmgr.exe"
Scenario: Custom script for monitoring sandboxed environments using Python or PowerShell with known Joe Sandbox paths
Filter/Exclusion: process.name != "python.exe" AND process.name != "powershell.exe" OR process.args LIKE '%sandbox%'