Talion suspects that the threat actor carried out anti-virtualization checks to avoid detection in sandboxed environments. Your task is to analyze the event logs and identify the specific techniques used for virtualization detection. Byte Doctor requires evidence of the registry checks or processes the attacker executed to perform these checks.
https://app.hackthebox.com/sherlocks/Operation Blackout 2025: Phantom Check
I searched the logs for Get-WmiObject calls and found the attacker querying the Win32_ComputerSystem WMI class. The script retrieved properties like Model and Manufacturer to check for virtualization. Virtual machines often have recognizable values in these fields, such as strings mentioning VMware or Hyper-V, which makes this a common method for VM detection. By examining the script, I confirmed that it executed a Get-WmiObject -Class Win32_ComputerSystem command to automatically collect this information.
Looking further with the same search , I found found the attacker using SELECT * FROM MSAcpi_ThermalZoneTemperature. This query retrieves data from the system’s thermal zones. Malware often checks temperature readings because virtual machines may report unrealistic or static values. These readings help the attacker determine whether the code is running in a sandbox or real hardware environment.
I searched the loaded PowerShell script for function definitions and found Check-VM. This function wraps all the logic for virtualization detection: WMI queries, registry checks, and process inspections. By packaging the checks into a single function, the attacker can quickly verify if the host is a VM before continuing execution.