Invoke-Antivm – Powershell Tool For VM Evasion
Invoke-AntiVM is a established of modules to accomplish VM detection and fingerprinting (with exfiltration) via Powershell.
Compatibility
Run the script check-compatibility.ps1 to verify what modules or features are compatibile with the powershell variation. Our goal is to accomplish compatibility from 2. but we are not there nevertheless. Remember to operate verify-compability.ps1 to see what are the latest compatiblity problems.
Background
We wrote this resource to unify several tactics to detect VM or sandbox technologies. It relies on both of those signature and behavioural indicators to establish whether or not a host is a VM or not. The modules are categorized into reasonable teams: CPU, Execution,Community,Packages. The user can also make a decision to exfiltrate a fingerprint of the target host to be able to determine what attributes can be used to determine a sandbox or VM option.
Goal
Invoke-AntiVM exists was created to comprehend what is the implication of making use of obfuscation and anti-vm tricks in powershell payloads. We hope this will aid Pink Groups to keep away from investigation of their payload and Blue Groups to realize how to debofuscate a script with evasion approaches. You could possibly use the key module file Invoke-AntiVM.psd1 or use the singular ps1 script files if you want to minimize the dimension.
Use
Utilization examples are furnished in the adhering to scripts:
- detect.ps1: this exhibits an case in point script of how to phone the unique checks
- usage.ps1: this displays essential use
- use_a lot more.ps1: this demonstrates extra highly developed capabilities
- utilization_exfil.ps1: this displays how to exfiltrate host data as a json document by way of pastebin, website or e mail
- use_fingerprint_file.ps1: this shows the exfiltration module and what details is created in the form of a json document
- poc_fingerprint_merged.ps1: this reveals the fingerprinting module employed from on the net sandboxes
- output/poc.docm: this reveals an example MS Phrase attack with a macro to contact the fingerprinting module (uploaded beforehand to a server)
The folder pastebin consists of a python script:
- entire_fingerprints.py that down load all the pastes
- decode_pastebins.ps1 to decompress and decode the fingerprint paperwork
You have to make guaranteed you use the exact same encryption important you made use of through the exfiltration stage. The folder deal shows how can you bundle all the scripts into a singular file for better portability. The folder pastebin displays how to pull instantly and decode the exfiltrated files from pastebin.
Set up
The supply code for Invoke-CradleCrafter is hosted at Github, and you may down load, fork and review it from this repository (https://github.com/robomotic/invoke-antivm). Please report challenges or function requests by Github’s bug tracker connected with this job.
To put in: run the script put in_module.ps1
