-
Notifications
You must be signed in to change notification settings - Fork 82
Computer
Tony Phipps edited this page Mar 27, 2018
·
9 revisions
| Use Case | Analysis | Tactic(s) | Source(s) |
|---|---|---|---|
| Monitor for hypervisor being present. Note that some rootkits may operate a hypervisor in such a way that hides it from the operating system, so this tool alone should be considered inconclusive if no hypervisor is reported. | SELECT UNIQUE HypervisorPresent WHERE HypervisorPresent = True | Persistence | Mitre Hypervisor |
| Monitor for suspicious BIOS properties, which may indicate malicious modification. | SELECT UNIQUE BIOSInstallDate, BIOSVersion, SMBIOSBIOSVersion, BIOSManufacturer | Persistence | Mitre System Firmware |