Check VBox VideoDrivers

Hunt Hypothesis

The detection rule identifies potential virtualization-based attacks by monitoring VBox VideoDrivers, which may indicate the presence of a virtual machine escape or malware leveraging virtualization features. SOC teams should proactively hunt for this behavior to detect advanced persistent threats that exploit virtualization vulnerabilities in Azure Sentinel environments.

YARA Rule

rule Check_VBox_VideoDrivers
{
	meta:
		Author = "Nick Hoffman"
		Description = "Checks for reg keys of Vbox video drivers"
		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
	strings:
		$key = "HARDWARE\\Description\\System" nocase wide ascii
		$value = "VideoBiosVersion" wide nocase ascii
		$data = "VIRTUALBOX" nocase wide ascii
	condition:
		all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: VirtualBox Guest Additions Installation
  Description: A system administrator is installing VirtualBox Guest Additions, which includes the VBox VideoDrivers.
  Filter/Exclusion: process.name != "VirtualBoxGuestAdditions.exe" or process.parent.name != "VirtualBox.exe"

• Scenario: Scheduled System Update or Patching Task
  Description: A scheduled task runs a system update that includes driver updates, which may include VBox VideoDrivers.
  Filter/Exclusion: process.name != "wusa.exe" or process.name != "dism.exe" or process.parent.name != "TaskScheduler.exe"

• Scenario: VM Management Tool Usage
  Description: A VM management tool like VMware vSphere Client or Microsoft Hyper-V Manager may trigger the detection due to internal driver interactions.
  Filter/Exclusion: process.name != "vmrun.exe" or process.name != "vmtoolsd.exe" or process.name != "vmw.exe"

• Scenario: Driver Rollback or Reinstallation via Device Manager
  Description: An administrator is manually rolling back or reinstalling the VBox VideoDrivers through Device Manager.
  Filter/Exclusion: process.name != "devmgmt.msc" or process.name != "explorer.exe" with specific command-line arguments for driver management

• Scenario: Third-Party VM Tools or Emulators
  Description: A third-party VM tool like QEMU or Bochs may include similar video drivers that trigger the rule.
  Filter/Exclusion: process.name != "qemu-system-x86_64.exe" or process.name != "bochs.exe" or process.parent.name != "qemu.exe"