Check this twitter thread

[seifreed]

https://twitter.com/sherrod_im/status/1140748556606644230

[ayoubfaouzi]

Hey @seifreed

Thanks for the link ! Will check what we can do with it.

[gsuberland]

It would be helpful if someone could collate all of the tricks from that thread into a comment here, with relevant links back to the tweets and other reference materials.

[cetfor]

@gsuberland Here's a summary of the techniques mentioned in the Twitter thread along with contributor names and links to relevant replies. There are some real gems in this list and I'd like to implement. I'll add technical references to methods throughout the week in additional comments.

Contributor: Parker Crook @crooksecurity
Tweet Link: https://twitter.com/crooksecurity/status/1140757094188142592
Method 1: Are you on a really small subnet? If you can't talk to any neighboring or other RFC1918 addresses, don't run.
Method 2: Sleep for 5 minutes, then run.
Method 3: Activate after a reboot

Contributor: Paul Melson @pmelson
Tweet Link: https://twitter.com/pmelson/status/1140841015449968641
Method 1: RecentFiles.Count >= 3
Method 2: Checking http://ThisDocument.Name to see if it contains only '0123456789ABCDEF' (hash value file names)

Contributor: Dodge This Security @shotgunner101
Tweet Link: https://twitter.com/shotgunner101/status/1140750260043694087
Method 1: Detecting if wireless card is connected and getting a list of the wireless networks. If no wireless networks then refuse to run.
Method 2: Detect how small the aspect  ratio is and if under a certain size refuse to run.
Method 3: Detect if a system is part of a domain, if not dont run.

Tweet Link: https://twitter.com/shotgunner101/status/1140751120928845824
Method 4: Detect if a system has both a mouse and keyboard connected, if not dont run.
Method 5: Detect if a system is a certain period of time behind on patches, if so dont run.
Method 6: Detect if multiple different versions of the same browser, java runtime, etc are installed if so dont run.

Tweet Link: https://twitter.com/shotgunner101/status/1140753362708811776
Method 7: Detect what gaps exist in the windows event logs time wise, if the gap is too large then dont run.
Method 8: Detect the date and time of files on disk that commonly change on patch tuesdays. If too old then dont run.
Method 9: Detect if sysmon is running on the system, if so dont run.

Tweet Link: https://twitter.com/shotgunner101/status/1140754576154464258
Method 10: Detect if sound is currently enabled and if an audio device is connected, if not dont run.
Method 11: Detect if the security settings are set to be wildly insecure, if so then dont run.
Method 12: Detect if a usb, external drive, sd card or mobile device was ever connected, if not dont run

Tweet Link: https://twitter.com/shotgunner101/status/1140755791751892995
Method 13: Detect if multiple users which are not in the base windows build are in the system, if not dont run.
Method 14: Detect if https interception is occuring, if so dont run.
Method 15: Detect if there is any printers or shared drives, if not dont run.

Tweet Link: https://twitter.com/shotgunner101/status/1140757186592854016
Method 16: Detect if there is any traffic coming from other systems. If not dont run.
Method 17: Detect if windows 7, 8, or windows xp, if it is dont run.
Method 18: Detect how far the browser activity goes back and how much there is, if very minimal or a huge gap in time dont run.

Tweet Link: https://twitter.com/shotgunner101/status/1140758657887547394
Method 19: Detect if there is any event forwarding or event collection software/settings in the system. If not dont run(most sandboxes dont have this due to noise).
Method 20: Detect system temperature, number of fans, their states, etc (my guess is likely VMs cant see this).

Tweet Link: https://twitter.com/shotgunner101/status/1140760149231112192
Method 21: Detect if the processor supports virtualization(normally this is disabled by default for VM inages, as a VM in a VM is extremely slow).
Method 22: Detect if any remote systems or devices have ever attempted to login or share files to this system, if not dont run.

Tweet Link: https://twitter.com/shotgunner101/status/1140761719578472453
Method 23: Detect if any non-standard pictures under my pictures, audio under my music, and recently executed programs exist(if more than x ammount then run).
Method 24: Check what the dates are for the majority of the prefect files, if most are very old dont run.

Tweet Link: https://twitter.com/shotgunner101/status/1140763825395945472
Method 25: Check if the system has a screensaver set and how long its set till it appears(most if not all sandboxes disable it).
Method 26: Check the UAC settings, if they are set to never notify then dont execute.
Method 27: Check if how much disk space there is, generally sandbox VMs are small.

Tweet Link: https://twitter.com/shotgunner101/status/1141097117500485632
Method 28: Check if user does a DNS request for a range of social media, search engine, or gaming websites.
Method 29: Check if the system has VPN client installed(no sandbox ive seen has this)
Method 30: Detect if Instant Messaging applications are running and being used.

Tweet Link: https://twitter.com/shotgunner101/status/1141099106305282048
Method 31: Detect if a group policy is set and that the password complexity requirements are non-default.
Method 32: Detect if more than X number of windows searches have ran.
Method 33: Detect how many non-standard browser bookmarks there are.
Method 34: Detect the presence of a connected webcam.

Tweet Link: https://twitter.com/shotgunner101/status/1141100452362276864
Method 35: Detect whether windows updates is disabled via group policy.(most companies have alternative update management solutions).
Method 36: Detect if bluetooth is available and enable it, look for visible bluetooth devices.
Method 37: Detect if a touchpad is enabled in windows(for laptops).

Tweet Link: https://twitter.com/shotgunner101/status/1141106154979909633
Method 38: Detect if a microphone is connected. (Again for laptops).
Method 39: Detect if full disk encryption software is installed.
Method 40: Detect if multiple local letter drives are connected. (I havent seen a sandbox yet with more than 1).
Method 41: Detect if Intel AMT can detect power state.

[cetfor]

I went through the list and dropped methods that are either already implemented or would likely fail on many systems. There are a number of interesting/creative ideas on the list, which when used to build a larger picture may be useful, they are mostly all far from a "smoking gun."

Here's my own shortlist:

1. Count the current user's recently accessed files
2. Check the ratio of Windows Event log events to maximum log size
3. Check the DNS cache
4. Check number of entries in ARP table
5. Check USB device and storage history

Implementation paths:

1. Count the number of files in %AppData%\Microsoft\Windows\Recent
2. Get the max log size and application event count and check their ratio using win32 Event Logging Functions. Reverted VM snapshots may have a very low ratio compared to long-running systems.
3. Check programmatic equivalent of ipconfig /displaydns
4. Check programmatic equivalent of arp -a
5. Check registry key/values under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB for general USB devices and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR for USB storage devices. A very small, or empty list indicates the system hasn't used many USB devices.

This project has so many methods implemented, what seems to remain are a bunch of fringe checks that merely suggest a fresh Windows install with a small runtime footprint.

If anyone has any issues or concerns with these please share. Thanks!