Operation Blackout 2025: Phantom Check

Machine Image
Release Date06 Jun 2025
Retire Date06 Jun 2025
DifficultyVery Easy
Creatoriamr007

What we gain?

Ability to create detection rules by identifying specific WMI queries, comparing processes for virtual machine detection, and analyzing registry keys or file paths associated with virtual environments.

Scenario

Talion suspects that the threat actor carried out anti-virtualization checks to avoid detection in sandboxed environments. Your task is to analyze the event logs and identify the specific techniques used for virtualization detection. Byte Doctor requires evidence of the registry checks or processes the attacker executed to perform these checks.

Provided artifacts

  • Microsoft-Windows-Powershell.evtx
  • Windows-Powershell-Operational.evtx

Task 1

Question: Which WMI class did the attacker use to retrieve model and manufacturer information for virtualization detection?

As we are provided with the 2 event log files and question is asking about WMI classes, it means we have to look for the usage of WMI in the powershell query.

we can use windows event viewer or Hayabusa . As I heard a lot about Hayabusa and I am also learning, we will use that.

According to the task, the attacker did use a WMI (Windows Management Instrumentation) query to gather system information in order to determine whether the current environment is a virtual machine. we can search for every command run with wmi query

hayabusa-3.3.0-win-x64.exe search -f "Microsoft-Windows-Powershell.evtx" -k "Wmi" -J -o "wmi_result.json"

hayabusa

WMI class

We can clearly see the command line and which class has been used by attacker.

Answer: Win32_ComputerSystem

Task 2

Question: Which WMI query did the attacker execute to retrieve the current temperature value of the machine?

In the same json output file we can see all usage of the WMI and which query performed by attacker.

Thermal Query

Answer: SELECT * FROM MSAcpi_ThermalZoneTemperature

Task 3

Question: The attacker loaded a PowerShell script to detect virtualization. What is the function name of the script?

From question it’s evident that it’s kind of information gathering activity attacker is performing. We will run hayabusa with all available rules to detect the script execution.

hayabusa-3.3.0-win-x64.exe csv-timeline -f "Windows-Powershell-Operational.evtx"  -o "powershell_timeline2.csv"

One of the script blocks found through this rule (at 2025-04-09 09:20:53) indeed contains a function that implements the VM detection capability described in the task.

Check-VM

Answer: Check-VM

Task 4

Question: Which registry key did the above script query to retrieve service details for virtualization detection?

Going through the same identified script we find that the script retrives service details from ‘HKLM:\SYSTEM\ControlSet001\Services’

hayabusa-3.3.0-win-x64.exe search -f "Windows-Powershell-Operational.evtx" -k "HKLM" -J -o "HKLM_result.json"
HKLM

Answer: HKLM:\SYSTEM\ControlSet001\Services

Task 5

Question: The VM detection script can also identify VirtualBox. Which processes is it comparing to determine if the system is running VirtualBox?

We scroll down until we come across the ‘VirtualBox’ comment in the script. Just below it, we can see that the script retrieves process details using the ‘Get-Process’ cmdlet and compares them with ‘vboxservice.exe’ and ‘vboxtray.exe’ to determine whether it’s running in a VirtualBox environment

Answer: vboxservice.exe, vboxtray.exe

Task 6

Question: The VM detection script prints any detection with the prefix ‘This is a’. Which two virtualization platforms did the script detect?

Thoroughly analyzing the script, we do observe that it prints virtual machine detection results using the phrase ‘This is a’ followed by the name of the VM. To ind the output, we search for the string ‘This is a’ within the ‘Microsoft-Windows-PowerShell’ logs and confirm that, according to the script, the operating system is running inside either ‘Hyper-V’ or ‘VMware’

Answer: Hyper-V, Vmware