Skip to content
leftermv.com
Terminal window
# PLATFORM          HTB
# CTF NAME          Operation Blackout 2025: Phantom Check
# DIFFICULTY        Very Easy
# CTF LINK          https://app.hackthebox.com/sherlocks/Operation%20Blackout%202025:%20Phantom%20Check

SCENARIO

Section titled “SCENARIO”

Talion suspects that the threat actor carried out anti-virtualization checks to avoid detection in sandboxed environments. Your task is to analyze the event logs and identify the specific techniques used for virtualization detection. Byte Doctor requires evidence of the registry checks or processes the attacker executed to perform these checks.


Which WMI class did the attacker use to retrieve model and manufacturer information for virtualization detection?
Section titled “Which WMI class did the attacker use to retrieve model and manufacturer information for virtualization detection?”
  • Found in the Windows-Powershell-Operational logs.
CommandInvocation(Get-WmiObject): "Get-WmiObject"
ParameterBinding(Get-WmiObject): name="Class"; value="Win32_ComputerSystem"
CommandInvocation(Select-Object): "Select-Object"
ParameterBinding(Select-Object): name="ExpandProperty"; value="Model"
ParameterBinding(Select-Object): name="InputObject"; value="\\DESKTOP-M3AKJSD\root\cimv2:Win32_ComputerSystem.Name="DESKTOP-M3AKJSD""
  • The event was logged at 4/9/2025 2:19:10 AM.
  • This is useful as we can assume the next questions have their answer in a later timestamp.
Which WMI query did the attacker execute to retrieve the current temperature value of the machine?
Section titled “Which WMI query did the attacker execute to retrieve the current temperature value of the machine?”
  • Found in Microsoft-Windows-Powershell logs.
Pipeline execution details for command line: Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue.

The attacker loaded a PowerShell script to detect virtualization. What is the function name of the script?
Section titled “The attacker loaded a PowerShell script to detect virtualization. What is the function name of the script?”
  • Found in Windows-Powershell-Operational logs.
  • Filter by Event ID 4104.
  • Tip: using the same event ID, we can also find the answer to the previous 2 questions.
Creating Scriptblock text (1 of 1):
Check-VM


ScriptBlock ID: ec01d4f1-b1ad-4a78-af6b-ac18c1131c30

Which registry key did the above script query to retrieve service details for virtualization detection?
Section titled “Which registry key did the above script query to retrieve service details for virtualization detection?”
  • Found in Windows-Powershell-Operational logs.
  • Remove filter used above and search for after script’s name.
  • One of the logs has the entire content.
  • The answer can be found by reading & understanding the content.
HKLM:\SYSTEM\ControlSet001\Services

The VM detection script can also identify VirtualBox. Which processes is it comparing to determine if the system is running VirtualBox?
Section titled “The VM detection script can also identify VirtualBox. Which processes is it comparing to determine if the system is running VirtualBox?”
  • Same as above, the answer is in the same script.
vboxservice.exe, vboxtray.exe

The VM detection script prints any detection with the prefix ‘This is a’. Which two virtualization platforms did the script detect?
Section titled “The VM detection script prints any detection with the prefix ‘This is a’. Which two virtualization platforms did the script detect?”
ParameterBinding(Out-Default): name="InputObject"; value="This is a Hyper-V machine."
ParameterBinding(Out-Default): name="InputObject"; value="This is a VMWare machine."