-
Notifications
You must be signed in to change notification settings - Fork 82
Computer
Tony Phipps edited this page Mar 27, 2018
·
9 revisions
Persistence
Monitor for hypervisor being present. Note that some rootkits may operate a hypervisor in such a way that hides it from the operating system, so this tool alone should be considered inconclusive if no hypervisor is reported.
SELECT UNIQUE HypervisorPresent WHERE HypervisorPresent = True
Persistence
Monitor for suspicious BIOS properties, which may indicate malicious modification.
SELECT UNIQUE BIOSInstallDate, BIOSVersion, SMBIOSBIOSVersion, BIOSManufacturer