Operation Blackout 2025: Phantom Check
![]() | |
Release Date | 06 Jun 2025 |
Retire Date | 06 Jun 2025 |
Difficulty | Very Easy |
Creator | iamr007 |
What we gain?
Ability to create detection rules by identifying specific WMI queries, comparing processes for virtual machine detection, and analyzing registry keys or file paths associated with virtual environments.
Scenario
Talion suspects that the threat actor carried out anti-virtualization checks to avoid detection in sandboxed environments. Your task is to analyze the event logs and identify the specific techniques used for virtualization detection. Byte Doctor requires evidence of the registry checks or processes the attacker executed to perform these checks.
Provided artifacts
- Microsoft-Windows-Powershell.evtx
- Windows-Powershell-Operational.evtx
Task 1
Question: Which WMI class did the attacker use to retrieve model and manufacturer information for virtualization detection?
As we are provided with the 2 event log files and question is asking about WMI classes, it means we have to look for the usage of WMI in the powershell query.
we can use windows event viewer or Hayabusa . As I heard a lot about Hayabusa and I am also learning, we will use that.
According to the task, the attacker did use a WMI (Windows Management Instrumentation) query to gather system information in order to determine whether the current environment is a virtual machine. we can search for every command run with wmi query
hayabusa-3.3.0-win-x64.exe search -f "Microsoft-Windows-Powershell.evtx" -k "Wmi" -J -o "wmi_result.json"


We can clearly see the command line and which class has been used by attacker.
Answer: Win32_ComputerSystem
Task 2
Question: Which WMI query did the attacker execute to retrieve the current temperature value of the machine?
In the same json output file we can see all usage of the WMI and which query performed by attacker.

Answer: SELECT * FROM MSAcpi_ThermalZoneTemperature
Task 3
Question: The attacker loaded a PowerShell script to detect virtualization. What is the function name of the script?
From question it’s evident that it’s kind of information gathering activity attacker is performing. We will run hayabusa with all available rules to detect the script execution.
hayabusa-3.3.0-win-x64.exe csv-timeline -f "Windows-Powershell-Operational.evtx" -o "powershell_timeline2.csv"
One of the script blocks found through this rule (at 2025-04-09 09:20:53
) indeed contains a function that implements the VM detection capability described in the task.

Answer: Check-VM
Task 4
Question: Which registry key did the above script query to retrieve service details for virtualization detection?
Going through the same identified script we find that the script retrives service details from ‘HKLM:\SYSTEM\ControlSet001\Services’
hayabusa-3.3.0-win-x64.exe search -f "Windows-Powershell-Operational.evtx" -k "HKLM" -J -o "HKLM_result.json"

Answer: HKLM:\SYSTEM\ControlSet001\Services
Task 5
Question: The VM detection script can also identify VirtualBox. Which processes is it comparing to determine if the system is running VirtualBox?
We scroll down until we come across the ‘VirtualBox’ comment in the script. Just below it, we can see that the script retrieves process details using the ‘Get-Process’ cmdlet and compares them with ‘vboxservice.exe’ and ‘vboxtray.exe’ to determine whether it’s running in a VirtualBox environment
Answer: vboxservice.exe, vboxtray.exe
Task 6
Question: The VM detection script prints any detection with the prefix ‘This is a’. Which two virtualization platforms did the script detect?
Thoroughly analyzing the script, we do observe that it prints virtual machine detection results using the phrase ‘This is a’ followed by the name of the VM. To ind the output, we search for the string ‘This is a’ within the ‘Microsoft-Windows-PowerShell’ logs and confirm that, according to the script, the operating system is running inside either ‘Hyper-V’ or ‘VMware’
Answer: Hyper-V, Vmware