AntiVM checks for Bios version

Hunt Hypothesis

Adversaries may check the BIOS version as part of anti-VM techniques to avoid detection in virtualized environments. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential evasion tactics and uncover hidden malicious activity.

YARA Rule

rule antivm_bios {
    meta:
        author = "x0r"
        description = "AntiVM checks for Bios version"
	version = "0.2"
    strings:
        $p1 = "HARDWARE\\DESCRIPTION\\System" nocase
        $p2 = "HARDWARE\\DESCRIPTION\\System\\BIOS" nocase
        $c1 = "RegQueryValue"
        $r1 = "SystemBiosVersion"
        $r2 = "VideoBiosVersion"
        $r3 = "SystemManufacturer"
    condition:
        1 of ($p*) and 1 of ($c*) and 1 of ($r*)
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 6 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System BIOS version check during routine hardware inventory via Microsoft System Center Configuration Manager (SCCM)
  Filter/Exclusion: Exclude processes related to SCCM by checking the process name (sccm.exe or ccmexec.exe) or using the ProcessName field in the event log.

• Scenario: Automated BIOS version verification during Ansible playbook execution for compliance checks
  Filter/Exclusion: Exclude processes associated with Ansible (ansible or ansible-playbook) or filter by the user account used for automation (e.g., ansible or root).

• Scenario: Scheduled Windows Task Scheduler job that runs a script to verify BIOS version for system health monitoring
  Filter/Exclusion: Exclude tasks with known names like SystemHealthCheck or filter by the task name using the TaskName field in the event log.

• Scenario: Dell BIOS Update Tool running as part of a scheduled update process
  Filter/Exclusion: Exclude processes related to Dell tools (e.g., DellBIOSUpdate.exe) or filter by the command line arguments containing update or upgrade.

• Scenario: VMware vSphere Client or vCenter performing a hardware compatibility check on a virtual machine
  Filter/Exclusion: Exclude processes related to VMware (vmware.exe, vmware-vpxd, or vsphere-client) or filter by the presence of VMware in the process name or command line.