analyst security skill risk: medium
Malware Sandbox Evasion Techniques Analyzer
Parses Cuckoo Sandbox or AnyRun behavioral JSON reports to detect timing checks, VM artifacts, user interaction patterns, and environment fingerprinting, then outputs a JSON report…
- Policy sensitive
- Human review
SKILL 4 files · 2 folders
SKILL.md
--- name: analyzing-malware-sandbox-evasion-techniques description: "Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction" --- # Analyzing Malware Sandbox Evasion Techniques ## Overview Sandbox evasion (MITRE ATT&CK T1497) allows malware to detect analysis environments and alter behavior to avoid detection. This skill analyzes behavioral reports from Cuckoo Sandbox and AnyRun for evasion indicators including timing-based checks (GetTickCount, QueryPerformanceCounter, sleep inflation), VM artifact detection (registry keys, MAC address prefixes, process names like vmtoolsd.exe), user interaction checks (mouse movement, keyboard input), and environment fingerprinting (disk size, CPU count, RAM). Detection rules flag samples exhibiting these behaviors for deeper manual analysis. ## When to Use - When investigating security incidents that require analyzing malware sandbox evasion techniques - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Cuckoo Sandbox 2.0+ or AnyRun account for behavioral analysis reports - Python 3.8+ with json library for report parsing - Behavioral report exports in JSON format ## Steps 1. Parse Cuckoo/AnyRun behavioral report JSON files 2. Extract API call sequences for timing-related functions 3. Identify VM artifact detection via registry queries and WMI calls 4. Detect sleep inflation by comparing requested vs actual sleep durations 5. Flag user interaction checks (GetCursorPos, GetAsyncKeyState patterns) 6. Score evasion sophistication based on technique count and diversity 7. Map detected techniques to MITRE ATT&CK T1497 sub-techniques ## Expected Output JSON report listing detected evasion techniques with MITRE ATT&CK mapping, API call evidence, evasion sophistication score, and classification of evasion categories (timing, VM detection, user interaction, environment fingerprinting).
REQUIRED CONTEXT
- Cuckoo Sandbox or AnyRun behavioral report in JSON format
EXPECTED OUTPUT
- Format
- json
- Schema
- json_schema · detected evasion techniques, MITRE ATT&CK mapping, API call evidence, evasion sophistication score, classification of evasion categories
- Constraints
- list detected evasion techniques
- include MITRE ATT&CK mapping
- include API call evidence
- include evasion sophistication score
- classify into timing/VM detection/user interaction/environment fingerprinting
SUCCESS CRITERIA
- Detect sandbox evasion techniques from behavioral reports
- Map techniques to MITRE ATT&CK T1497
- Include API call evidence and sophistication score
CAVEATS
- Dependencies
- Cuckoo Sandbox 2.0+ or AnyRun account for behavioral analysis reports
- Python 3.8+ with json library for report parsing
- Behavioral report exports in JSON format
- Missing context
- Exact schema or field names expected in the input JSON behavioral reports
- Concrete thresholds or examples for classifying technique severity
- Ambiguities
- Scoring method for 'evasion sophistication' is described only at a high level ('based on technique count and diversity') without explicit criteria or formula.
QUALITY
- OVERALL
- 0.79
- CLARITY
- 0.88
- SPECIFICITY
- 0.78
- REUSABILITY
- 0.72
- COMPLETENESS
- 0.81
IMPROVEMENT SUGGESTIONS
- Add an explicit scoring rubric or pseudocode for the sophistication score.
- Include a minimal example of input JSON and corresponding output JSON.
USAGE
Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.
MORE FOR ANALYST
- CTI Analyst for Cybersecurity Project Revisionsanalystsecurity
- NetFlow Pandas Traffic Baselininganalystsecurity
- Data Staging Exfiltration Threat Hunteranalystsecurity
- NetFlow Security Anomaly Analyzeranalystsecurity
- PowerShell EVTX Script Block Analyzeranalystsecurity
- Domain Fronting C2 Traffic Detectoranalystsecurity
- DNS-Based Persistence Hunting Proceduresanalystsecurity
- Heap Spray Exploitation Memory Dump Analyzeranalystsecurity
- PowerShell Empire Event Log Analyzeranalystsecurity
- Anomalous PowerShell Execution Hunting Guideanalystsecurity
- Zeek Conn.log Beaconing Pattern Detectoranalystsecurity
- API Gateway Access Log Attack Analyzeranalystsecurity
- Android APK Malware Static Analysisanalystsecurity
- Kubernetes Audit Log Security Analyzeranalystsecurity
- Cloud Storage Access Anomaly Detectoranalystsecurity
- Office 365 Audit Log Compromise Analyzeranalystsecurity
- Academic Research Brainstorm and Improvement Analyzeranalystresearch
- ML Missing Values Treatment Pipelineanalystanalysis
- Quantitative Sports Betting Edge Evaluatoranalystanalysis
- B2B Manufacturing Homepage Tech-SEO Diagnosticanalystanalysis
- OSINT US Surveillance Source Investigatoranalystresearch
- Curated Compendium of Cuckold BNWO Websitesanalystresearch
- US Indices Market News and Sentiment Reporteranalystfinance
- Technical Academic Paper Revieweranalystanalysis
- UX Landing Page Conversion Analyzeranalystanalysis