check-for-sandbox-via-mac-address-ouis-in-dotnet.yml

rule:
  meta:
    name: check for sandbox via MAC address OUIs in .NET
    namespace: anti-analysis/anti-vm/vm-detection
    authors:
      - jonathanlepore@google.com
    description: detects sandbox detection via mac address organizationally unique identifiers (OUIs). Based off publicly available CSharpShooter/CheckPlease.cs
    scopes:
      static: function
      dynamic: unsupported
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/mdsecactivebreach/SharpShooter/blob/9aea0b7a723b61c01c21f1e4b55409edf39a5a3b/CSharpShooter/CheckPlease.cs
  features:
    - and:
      - format: dotnet
      - basic block:
        - and:
          - 3 or more:
            - string: /00[:-]?0c[:-]?29/i
            - string: /00[:-]?1c[:-]?14/i
            - string: /00[:-]?50[:-]?56/i
              description: VMware OUIs
            - string: /08[:-]?00[:-]?27/i
              description: PCS Systemtechnik GmbH OUI, potentially related to VirtualBox
          - api: System.Net.NetworkInformation.NetworkInterface::GetPhysicalAddress
          - api: System.Net.NetworkInformation.NetworkInterface::GetAllNetworkInterfaces