Adversaries may use WMI to detect and evade virtualized environments by identifying virtual appliance characteristics, indicating potential virtual machine escape or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify evasion tactics and prevent lateral movement or persistence within virtualized infrastructure.
YARA Rule
rule WMI_VM_Detect : WMI_VM_Detect
{
meta:
version = 2
threat = "Using WMI to detect virtual machines via querying video card information"
behaviour_class = "Evasion"
author = "Joe Giron"
date = "2015-09-25"
description = "Detection of Virtual Appliances through the use of WMI for use of evasion."
strings:
$selstr = "SELECT Description FROM Win32_VideoController" nocase ascii wide
$selstr2 = "SELECT * FROM Win32_VideoController" nocase ascii wide
$vm1 = "virtualbox graphics adapter" nocase ascii wide
$vm2 = "vmware svga ii" nocase ascii wide
$vm3 = "vm additions s3 trio32/64" nocase ascii wide
$vm4 = "parallel" nocase ascii wide
$vm5 = "remotefx" nocase ascii wide
$vm6 = "cirrus logic" nocase ascii wide
$vm7 = "matrox" nocase ascii wide
condition:
any of ($selstr*) and any of ($vm*)
}This YARA rule can be deployed in the following contexts:
This rule contains 9 string patterns in its detection logic.
Scenario: Scheduled System Maintenance Task Using WMI
Description: A legitimate scheduled task runs via WMI to perform system updates or maintenance, which may trigger the rule due to WMI activity.
Filter/Exclusion: Exclude tasks associated with known system maintenance tools like schtasks.exe or Windows Update by checking the task name or command line.
Scenario: Virtual Machine Management via Hyper-V WMI Provider
Description: Admins use the Hyper-V WMI provider to manage virtual machines, which can generate WMI queries that match the detection logic.
Filter/Exclusion: Exclude WMI queries targeting the root\virtualization namespace or specific Hyper-V-related classes like Msvm_VirtualSystemManagementService.
Scenario: Remote WMI Query for System Monitoring
Description: IT staff use WMI to monitor system performance remotely, which may involve querying virtual machine-related properties.
Filter/Exclusion: Exclude queries originating from known monitoring tools like Powershell scripts used by SolarWinds or Nagios, or filter by source IP addresses of trusted monitoring systems.
Scenario: PowerShell Script Using WMI to Gather System Info
Description: A legitimate PowerShell script uses WMI to collect system information, which may be flagged due to WMI activity.
Filter/Exclusion: Exclude scripts that use Get-WmiObject or Invoke-WmiMethod with known system info classes like Win32_ComputerSystem or Win32_Process.
Scenario: Virtualization Tools Inventory via WMI
Description: Admins use WMI to inventory virtualization tools like VMware Tools or Microsoft Hyper-V, which may trigger the rule.
Filter/Exclusion: Exclude WMI queries that reference specific virtualization tools or their associated WMI classes (e.g