T1497 Virtualization/Sandbox Evasion Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let VMDetectCommands = dynamic(["MSAcpi_ThermalZoneTemperature", "Win32_Fan", "Win32_ComputerSystem", "VMwareHostOpen.exe", "VBoxService", "vmtoolsd", "vmwaretray", "vboxservice", "qemu-ga", "vmusrvc", "vmsrvc"]);
let VMDetectRegistry = dynamic(["HKLM\\SOFTWARE\\VMware", "HKLM\\SOFTWARE\\Oracle\\VirtualBox", "SYSTEM\\CurrentControlSet\\Services\\VBoxGuest", "SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_15AD", "SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE"]);
let SandboxDetectTools = dynamic(["wireshark", "procmon", "procexp", "fiddler", "x64dbg", "x32dbg", "ollydbg", "ida64", "idaq", "windbg", "regmon", "filemon", "autoruns"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (VMDetectCommands)
    or ProcessCommandLine has_any (VMDetectRegistry)
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("MSAcpi_ThermalZoneTemperature", "Win32_Fan", "Win32_ComputerSystem", "Win32_BaseBoard", "Win32_BIOS"))
    or (FileName =~ "reg.exe" and ProcessCommandLine has_any ("VMware", "VirtualBox", "VBoxGuest", "QEMU"))
    or (ProcessCommandLine has "tasklist" and ProcessCommandLine has_any (SandboxDetectTools))
| extend WMICheck = ProcessCommandLine has_any ("MSAcpi_ThermalZoneTemperature", "Win32_Fan", "Win32_ComputerSystem", "Win32_BIOS")
| extend RegistryCheck = ProcessCommandLine has_any ("VMware", "VirtualBox", "VBoxGuest", "QEMU") and FileName =~ "reg.exe"
| extend ProcessScan = ProcessCommandLine has "tasklist" and ProcessCommandLine has_any (SandboxDetectTools)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         WMICheck, RegistryCheck, ProcessScan
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Access Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

System administrators running WMI queries for hardware inventory and asset management
IT automation tools (SCCM, Intune, ManageEngine) collecting system hardware information via WMI
Security teams running sandbox detection tests as part of adversary emulation exercises
System monitoring software that queries hardware sensors for health dashboards

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval WMIVMCheck=if(match(CommandLine, "(msacpi_thermalzonetemperature|win32_fan|win32_computersystem.*model|win32_bios.*serialnumber|win32_baseboard)") AND match(Image, "(?i)wmic"), 1, 0)
| eval RegistryVMCheck=if(match(CommandLine, "(vmware|virtualbox|vboxguest|qemu|xen|hyper-v)") AND match(Image, "(?i)reg\.exe"), 1, 0)
| eval ProcessScan=if(match(CommandLine, "tasklist") AND match(CommandLine, "(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida|windbg|autoruns|regmon|filemon)"), 1, 0)
| eval VMToolCheck=if(match(CommandLine, "(vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga)"), 1, 0)
| eval SuspicionScore=WMIVMCheck*2 + RegistryVMCheck*2 + ProcessScan*2 + VMToolCheck
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, WMIVMCheck, RegistryVMCheck, ProcessScan, VMToolCheck, SuspicionScore
| sort - _time

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

System administrators running WMI hardware inventory queries
IT automation tools collecting hardware information
Security teams conducting adversary emulation exercises
Hardware monitoring software querying sensors

Elastic Security (EQL)

eql

process where event.type == "start" and (
  (process.name : "wmic.exe" and process.command_line : ("*MSAcpi_ThermalZoneTemperature*", "*Win32_Fan*", "*Win32_ComputerSystem*", "*Win32_BaseBoard*", "*Win32_BIOS*")) or
  (process.name : "reg.exe" and process.command_line : ("*VMware*", "*VirtualBox*", "*VBoxGuest*", "*QEMU*", "*VEN_15AD*", "*VEN_80EE*")) or
  (process.name : "tasklist.exe" and process.command_line : ("*wireshark*", "*procmon*", "*procexp*", "*fiddler*", "*x64dbg*", "*x32dbg*", "*ollydbg*", "*ida64*", "*idaq*", "*windbg*", "*autoruns*", "*regmon*", "*filemon*")) or
  process.name : ("vmtoolsd.exe", "vmwaretray.exe", "vboxservice.exe", "vmusrvc.exe", "vmsrvc.exe", "qemu-ga.exe", "VMwareHostOpen.exe")
)

high severity medium confidence

Data Sources

Windows Sysmon via Elastic Agent Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-*

False Positives

IT administrators running WMIC hardware inventory queries for asset management or capacity planning — particularly Win32_ComputerSystem and Win32_BIOS queries used by SCCM/Intune baselines to classify physical vs virtual endpoints
VMware vSphere or VirtualBox Guest Additions services legitimately executing vmtoolsd.exe or vboxservice.exe as part of normal VM guest operation — create a suppression for known virtual machine hostnames or gold image build pipelines
Security engineers or QA teams running authorized penetration testing tools (x64dbg, IDA, Wireshark) alongside tasklist enumeration checks on sandboxed analyst workstations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS UserName,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentProcess,
  CASE WHEN LOWER("CommandLine") IMATCHES '(msacpi_thermalzonetemperature|win32_fan|win32_computersystem|win32_bios|win32_baseboard)' AND LOWER("Image") IMATCHES 'wmic\.exe' THEN 2 ELSE 0 END +
  CASE WHEN LOWER("CommandLine") IMATCHES '(vmware|virtualbox|vboxguest|qemu|ven_15ad|ven_80ee)' AND LOWER("Image") IMATCHES 'reg\.exe' THEN 2 ELSE 0 END +
  CASE WHEN LOWER("CommandLine") IMATCHES 'tasklist' AND LOWER("CommandLine") IMATCHES '(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida64|windbg|autoruns|regmon|filemon)' THEN 2 ELSE 0 END +
  CASE WHEN LOWER("CommandLine") IMATCHES '(vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga)' THEN 1 ELSE 0 END AS SuspicionScore
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Snare for Windows Sysmon')
  AND "EventID" = 1
  AND (
    LOWER("CommandLine") IMATCHES '(msacpi_thermalzonetemperature|win32_fan|win32_computersystem|win32_bios|win32_baseboard|vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga)'
    OR (LOWER("CommandLine") IMATCHES '(vmware|virtualbox|vboxguest|qemu|ven_15ad|ven_80ee)' AND LOWER("Image") IMATCHES 'reg\.exe')
    OR (LOWER("CommandLine") IMATCHES 'tasklist' AND LOWER("CommandLine") IMATCHES '(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida64|windbg|autoruns|regmon|filemon)')
  )
LAST 24 HOURS

high severity medium confidence

Data Sources

Windows Sysmon (EventID 1 via Snare or WinCollect) Windows Security Event Log (EventID 4688 with enhanced process auditing)

Required Tables

events

False Positives

System administrators using WMIC for routine hardware diagnostics — Win32_BIOS and MSAcpi_ThermalZoneTemperature queries appear in many legitimate hardware monitoring and IPMI management workflows
Dedicated VM hosts running VMware ESXi guest tools or VirtualBox Guest Additions where vmtoolsd.exe and vboxservice.exe are expected resident processes — exclude by CIDR range or asset group for known hypervisor infrastructure
Authorized red team or penetration testing engagements that include VM evasion checks as part of scoped adversary simulation — correlate SuspicionScore spikes with change windows and approved test plans

Sumo Logic CSE

sql

_sourceCategory=*windows*sysmon* EventID=1
| parse regex "(?i)<CommandLine>(?<CommandLine>[^<]+)</CommandLine>"
| parse regex "(?i)<Image>(?<Image>[^<]+)</Image>"
| parse regex "(?i)<ParentImage>(?<ParentImage>[^<]+)</ParentImage>"
| parse regex "(?i)<User>(?<User>[^<]+)</User>"
| parse regex "(?i)<Computer>(?<Computer>[^<]+)</Computer>"
| where CommandLine matches /(?i)(msacpi_thermalzonetemperature|win32_fan|win32_computersystem|win32_bios|win32_baseboard|vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga)/
  OR (CommandLine matches /(?i)(vmware|virtualbox|vboxguest|qemu|ven_15ad|ven_80ee)/ AND Image matches /(?i)reg\.exe/)
  OR (CommandLine matches /(?i)tasklist/ AND CommandLine matches /(?i)(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida64|windbg|autoruns|regmon|filemon)/)
| if(CommandLine matches /(?i)(msacpi_thermalzonetemperature|win32_fan|win32_computersystem|win32_bios|win32_baseboard)/ AND Image matches /(?i)wmic\.exe/, 2, 0) as WMIVMCheck
| if(CommandLine matches /(?i)(vmware|virtualbox|vboxguest|qemu|ven_15ad|ven_80ee)/ AND Image matches /(?i)reg\.exe/, 2, 0) as RegistryVMCheck
| if(CommandLine matches /(?i)tasklist/ AND CommandLine matches /(?i)(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida64|windbg|autoruns|regmon|filemon)/, 2, 0) as ProcessScan
| if(CommandLine matches /(?i)(vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga)/, 1, 0) as VMToolCheck
| WMIVMCheck + RegistryVMCheck + ProcessScan + VMToolCheck as SuspicionScore
| fields _time, Computer, User, Image, CommandLine, ParentImage, WMIVMCheck, RegistryVMCheck, ProcessScan, VMToolCheck, SuspicionScore
| sort by -_time

high severity medium confidence

Data Sources

Windows Sysmon via Sumo Logic Installed Collector (Windows Event Log source, XML format)

Required Tables

_sourceCategory matching windows sysmon operational log path

False Positives

Hardware monitoring agents and out-of-band management software (HPE iLO, Dell DRAC management agents) that legitimately query MSAcpi_ThermalZoneTemperature and Win32_Fan via WMI for thermal monitoring
Automated IT asset discovery and software license management platforms (Flexera, Snow Software) that query Win32_ComputerSystem and Win32_BIOS to differentiate physical vs virtual for license compliance reporting
Developer workstations running Docker Desktop, VirtualBox, or WSL2 alongside security research tools (Wireshark, x64dbg) where both VM tool processes and analysis tools are expected to coexist

Google Chronicle / SecOps

yaral

rule t1497_vm_sandbox_evasion {
  meta:
    author = "Detection Engineering"
    description = "Detects T1497 Virtualization/Sandbox Evasion via WMI hardware queries, VM registry enumeration, and sandbox tool scanning"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1497"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1497/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        $e.target.process.file.basename = /(?i)wmic\.exe/ and
        $e.target.process.command_line = /(?i)(MSAcpi_ThermalZoneTemperature|Win32_Fan|Win32_ComputerSystem|Win32_BaseBoard|Win32_BIOS)/
      ) or
      (
        $e.target.process.file.basename = /(?i)reg\.exe/ and
        $e.target.process.command_line = /(?i)(VMware|VirtualBox|VBoxGuest|QEMU|VEN_15AD|VEN_80EE)/
      ) or
      (
        $e.target.process.command_line = /(?i)tasklist/ and
        $e.target.process.command_line = /(?i)(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida64|idaq|windbg|autoruns|regmon|filemon)/
      ) or
      $e.target.process.file.basename = /(?i)(vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga|VMwareHostOpen)\.exe/
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Chronicle UDM via Google SecOps Windows endpoint telemetry ingested via Chronicle Forwarder or third-party EDR UDM normalization

Required Tables

UDM PROCESS_LAUNCH events with target.process.file.basename and target.process.command_line populated

False Positives

VMware ESXi or Workstation host management consoles spawning VMwareHostOpen.exe or vmtoolsd.exe as part of authorized guest VM lifecycle operations — add exclusion rule matching principal.hostname against known hypervisor host inventory
Enterprise software packaging and deployment systems (Microsoft SCCM task sequences, Intune Win32 app wrappers) that call wmic.exe to query Win32_ComputerSystem model and Win32_BIOS serial number for hardware-targeted deployment logic
Security awareness training platforms or malware detonation sandboxes that run commodity malware samples as part of controlled exercises — these will trigger all four detection categories simultaneously and at high frequency from known sandbox hostnames

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| CommandLine = *
| lower(CommandLine) = cmdLine
| lower(ImageFileName) = imgName
| wmiVMCheck := if(cmdLine = /(msacpi_thermalzonetemperature|win32_fan|win32_computersystem|win32_bios|win32_baseboard)/ and imgName = /wmic\.exe/, 2, 0)
| regVMCheck := if(cmdLine = /(vmware|virtualbox|vboxguest|qemu|ven_15ad|ven_80ee)/ and imgName = /reg\.exe/, 2, 0)
| procScan := if(cmdLine = /tasklist/ and cmdLine = /(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida64|idaq|windbg|autoruns|regmon|filemon)/, 2, 0)
| vmToolCheck := if(cmdLine = /(vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga)/, 1, 0)
| suspicionScore := wmiVMCheck + regVMCheck + procScan + vmToolCheck
| suspicionScore > 0
| select([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, wmiVMCheck, regVMCheck, procScan, vmToolCheck, suspicionScore])
| sort(suspicionScore, order=desc, limit=1000)

high severity high confidence

Data Sources

CrowdStrike Falcon EDR — ProcessRollup2 events via Falcon sensor telemetry

Required Tables

ProcessRollup2 events streamed via Falcon Data Replicator or Humio/LogScale Falcon connector

False Positives

CrowdStrike Falcon sensor itself or competing EDR agents may internally invoke wmic.exe to query Win32_ComputerSystem for device fingerprinting — filter by ParentBaseFileName matching known security tool parent process names
Software installation wrappers (NSIS, InstallShield, WiX installers) that query Win32_ComputerSystem model or Win32_BIOS serial number to gate license validation or detect virtual lab environments for trial enforcement
Cloud VM provisioning and image baking pipelines (Packer, Terraform provisioners) that query Hyper-V and VMware registry keys to configure OS-level tuning for virtualized workloads — suppress by ComputerName prefix matching known build agent naming conventions

Virtualization/Sandbox Evasion

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (3)

Same Tactic: Defense Evasion

Popular Detections