https://github.com/justintimperio/sandman

Put sandbox detection to bed. Advanced sandbox detection and evasion for Golang.
https://github.com/justintimperio/sandman

Last synced: about 1 year ago
JSON representation

Put sandbox detection to bed. Advanced sandbox detection and evasion for Golang.

• Host: GitHub
• URL: https://github.com/justintimperio/sandman
• Owner: JustinTimperio
• Created: 2021-08-31T00:25:32.000Z (almost 5 years ago)
• Default Branch: master
• Last Pushed: 2021-10-03T23:36:21.000Z (over 4 years ago)
• Last Synced: 2025-05-08T23:43:33.709Z (about 1 year ago)
• Language: Go
• Homepage:
• Size: 20.5 KB
• Stars: 8
• Watchers: 1
• Forks: 1
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          


  



# Sandman

SandMan is a set of advanced tools for detecting and evading malware analysis sandboxes. Based on the work of ColdFire and VM-Detection, SandMan combines and expands upon these detection methods into a full toolset for evading sandboxes.

## Why SandMan?

In an effort to provide blue-team members better resources, SandMan is a transparent way to test the most effective detection and evasion techniques being used by Malware today. Additonally, those who build red-team tools will benfit from a fully self-contained evasion and detection module for attack simulations and pen-testing.

## How It Works

SandMan uses a varitey of scoreing methods to return a score which represents the likelyhood that the OS is being run as a VM. 

### Detection 

#### Common Checks

- CPU Check

- Ram Check

- Known Mac Address Check

- Time Compression Check

#### Linux VM Detection

- Check DMI Table for VM Entries

-	See if Kernel Detects a Hypervisor

- Check for Hypervisor Flag or User Mode Linux

- Check the Device Tree for VM artifacts

- Look for VM Tools in Modules

#### Windows VM Detection

- Checks the Registry for Blacklisted Keys and Vendors 

- Checks the Device Tree for VM artifacts

### Evasion