-
Notifications
You must be signed in to change notification settings - Fork 82
Computer
Tony Phipps edited this page Mar 15, 2018
·
9 revisions
Tactic: Persistence
- Select HypervisorPresent where HypervisorPresent equal True
Monitor for hypervisor being present. Note that some rootkits may operate a hypervisor in such a way that hides it from the operating system, so this tool alone should be considered inconclusive if no hypervisor is reported.
Tactic: Persistence
- Select BIOSInstallDate, BIOSVersion, SMBIOSBIOSVersion, BIOSManufacturer
Monitor for suspicious BIOS properties, which may indicate malicious modification.