Techniques
Sample rules
Detect Virtualbox Driver Installation OR Starting Of VMs
- source: sigma
- technicques:
- t1564
- t1564.006
Description
Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM.
Detection logic
condition: 1 of selection_*
selection_1:
CommandLine|contains:
- VBoxRT.dll,RTR3Init
- VBoxC.dll
- VBoxDrv.sys
selection_2:
CommandLine|contains:
- startvm
- controlvm