T1497.001

System Checks

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. Checks may include WMI queries for BIOS manufacturer, system model, temperature sensors, and fan hardware; registry queries for VMware/VirtualBox/QEMU/Hyper-V keys; file system checks for VM guest tools and drivers; hardware enumeration for VM-specific PCI vendor IDs; process enumeration for analysis and monitoring tools; and CPU core count / memory / disk size validation. Malware families including GravityRAT, Lumma Stealer, Bumblebee, QakBot, DarkTortilla, and FinFisher use extensive system checks before executing their core payloads.

Microsoft Sentinel / Defender

kusto

let WMIVMQueries = dynamic(["MSAcpi_ThermalZoneTemperature", "Win32_Fan", "Win32_ComputerSystem", "Win32_BIOS", "Win32_BaseBoard", "Win32_DiskDrive", "Win32_PhysicalMemory", "Win32_Processor", "Win32_VideoController"]);
let VMRegistryPaths = dynamic(["VMware", "VirtualBox", "VBoxGuest", "QEMU", "Xen", "Hyper-V", "Red Hat VirtIO", "VEN_15AD", "VEN_80EE", "VEN_1AB8"]);
let VMDriverFiles = dynamic(["VBoxMouse.sys", "VBoxGuest.sys", "VBoxSF.sys", "vmhgfs.sys", "vmmouse.sys", "vmci.sys", "vboxdisp.dll", "vmGuestLib.dll"]);
let AnalysisTools = dynamic(["wireshark", "procmon", "procexp", "processhacker", "fiddler", "x64dbg", "x32dbg", "ollydbg", "ida64", "idaq", "windbg", "autoruns", "tcpdump", "dumpcap", "regmon", "filemon", "pestudio", "dnspy"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "wmic.exe" and ProcessCommandLine has_any (WMIVMQueries))
    or (FileName =~ "reg.exe" and ProcessCommandLine has_any (VMRegistryPaths))
    or (FileName in~ ("cmd.exe", "powershell.exe") and ProcessCommandLine has_any (VMDriverFiles))
    or (ProcessCommandLine has_any ("tasklist", "Get-Process") and ProcessCommandLine has_any (AnalysisTools))
    or (FileName =~ "systeminfo.exe" and InitiatingProcessFileName !in~ ("cmd.exe", "explorer.exe", "svchost.exe"))
    or ProcessCommandLine has_any ("VMwareHostOpen.exe", "HKLM\\SOFTWARE\\VMware", "Win32_ComputerSystem WHERE Model", "NumberOfCores", "TotalPhysicalMemory")
| extend WMICheck = FileName =~ "wmic.exe" and ProcessCommandLine has_any (WMIVMQueries)
| extend RegistryCheck = FileName =~ "reg.exe" and ProcessCommandLine has_any (VMRegistryPaths)
| extend DriverCheck = ProcessCommandLine has_any (VMDriverFiles)
| extend ToolScan = ProcessCommandLine has_any ("tasklist", "Get-Process") and ProcessCommandLine has_any (AnalysisTools)
| extend HardwareCheck = ProcessCommandLine has_any ("NumberOfCores", "TotalPhysicalMemory", "Win32_DiskDrive", "Win32_VideoController")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         WMICheck, RegistryCheck, DriverCheck, ToolScan, HardwareCheck
| sort by Timestamp desc

medium severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Windows Registry: Windows Registry Key Access Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

IT asset management tools (SCCM, Intune, ManageEngine, Lansweeper) running WMI hardware inventory queries
System monitoring software collecting hardware sensor data for dashboards
Endpoint security products performing hardware fingerprinting during enrollment
Developers or QA teams running system information checks in VM test environments

Elastic Security (EQL)

eql

process where event.type == "start" and (
  (
    process.name : "wmic.exe" and
    process.command_line : (
      "*MSAcpi_ThermalZoneTemperature*", "*Win32_Fan*", "*Win32_ComputerSystem*",
      "*Win32_BIOS*", "*Win32_BaseBoard*", "*Win32_DiskDrive*",
      "*Win32_PhysicalMemory*", "*Win32_Processor*", "*Win32_VideoController*"
    )
  ) or
  (
    process.name : "reg.exe" and
    process.command_line : (
      "*VMware*", "*VirtualBox*", "*VBoxGuest*", "*QEMU*",
      "*Xen*", "*Hyper-V*", "*VEN_15AD*", "*VEN_80EE*", "*VEN_1AB8*"
    )
  ) or
  process.command_line : (
    "*VBoxMouse.sys*", "*VBoxGuest.sys*", "*VBoxSF.sys*",
    "*vmhgfs.sys*", "*vmmouse.sys*", "*vmci.sys*",
    "*vboxdisp.dll*", "*vmGuestLib.dll*"
  ) or
  (
    process.command_line : ("*tasklist*", "*Get-Process*") and
    process.command_line : (
      "*wireshark*", "*procmon*", "*procexp*", "*processhacker*",
      "*fiddler*", "*x64dbg*", "*x32dbg*", "*ollydbg*", "*ida64*",
      "*idaq*", "*windbg*", "*autoruns*", "*tcpdump*", "*dumpcap*",
      "*pestudio*", "*dnspy*"
    )
  ) or
  (
    process.name : "systeminfo.exe" and
    not process.parent.name : ("cmd.exe", "explorer.exe", "svchost.exe")
  ) or
  process.command_line : (
    "*NumberOfCores*", "*TotalPhysicalMemory*",
    "*VMwareHostOpen.exe*", "*Win32_ComputerSystem WHERE Model*"
  )
)

high severity high confidence

Data Sources

Elastic Endpoint Security Windows Sysmon via Elastic Agent Elastic Defend (endpoint.events.process)

Required Tables

logs-endpoint.events.process-* logs-windows.sysmon_operational-* winlogbeat-*

False Positives

IT asset management platforms such as SCCM, Tanium, Lansweeper, and ManageEngine routinely query Win32_ComputerSystem, Win32_BIOS, and Win32_Processor for hardware inventory — tune by excluding known management process parent names or source hostnames.
VMware vSphere management agents and VMware Tools updaters may legitimately query VMware registry keys and call VMwareHostOpen.exe as part of guest tools maintenance; baseline these by host and parent process.
Security engineers and analysts running manual triage may invoke wmic, systeminfo, or tasklist with analysis tool names during incident response; correlate with change tickets or known analyst workstations before escalating.
Software deployment automation (Chocolatey, Ansible WinRM, Puppet) may call systeminfo.exe or wmic to validate hardware prerequisites before installing packages, often spawned from non-standard parent processes.
Hypervisor self-check scripts in developer and QA environments frequently enumerate NumberOfCores and TotalPhysicalMemory to enforce minimum resource requirements before running build pipelines.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  sourceip AS "Source IP",
  username AS "Username",
  "ProcessPath" AS "Process Image",
  "CommandLine" AS "Command Line",
  "ParentProcessPath" AS "Parent Image",
  CASE
    WHEN LOWER("ProcessPath") LIKE '%wmic%'
      AND (LOWER("CommandLine") LIKE '%msacpi_thermalzone%'
           OR LOWER("CommandLine") LIKE '%win32_fan%'
           OR LOWER("CommandLine") LIKE '%win32_computersystem%'
           OR LOWER("CommandLine") LIKE '%win32_bios%'
           OR LOWER("CommandLine") LIKE '%win32_baseboard%'
           OR LOWER("CommandLine") LIKE '%win32_diskdrive%'
           OR LOWER("CommandLine") LIKE '%win32_physicalmemory%'
           OR LOWER("CommandLine") LIKE '%win32_processor%'
           OR LOWER("CommandLine") LIKE '%win32_videocontroller%')
      THEN 2 ELSE 0
  END +
  CASE
    WHEN LOWER("ProcessPath") LIKE '%reg.exe%'
      AND (LOWER("CommandLine") LIKE '%vmware%'
           OR LOWER("CommandLine") LIKE '%virtualbox%'
           OR LOWER("CommandLine") LIKE '%vboxguest%'
           OR LOWER("CommandLine") LIKE '%qemu%'
           OR LOWER("CommandLine") LIKE '%xen%'
           OR LOWER("CommandLine") LIKE '%hyper-v%'
           OR LOWER("CommandLine") LIKE '%ven_15ad%'
           OR LOWER("CommandLine") LIKE '%ven_80ee%'
           OR LOWER("CommandLine") LIKE '%ven_1ab8%')
      THEN 2 ELSE 0
  END +
  CASE
    WHEN LOWER("CommandLine") LIKE '%vboxmouse.sys%'
      OR LOWER("CommandLine") LIKE '%vboxguest.sys%'
      OR LOWER("CommandLine") LIKE '%vboxsf.sys%'
      OR LOWER("CommandLine") LIKE '%vmhgfs.sys%'
      OR LOWER("CommandLine") LIKE '%vmmouse.sys%'
      OR LOWER("CommandLine") LIKE '%vmci.sys%'
      OR LOWER("CommandLine") LIKE '%vboxdisp.dll%'
      OR LOWER("CommandLine") LIKE '%vmguestlib.dll%'
      THEN 2 ELSE 0
  END +
  CASE
    WHEN (LOWER("CommandLine") LIKE '%tasklist%' OR LOWER("CommandLine") LIKE '%get-process%')
      AND (LOWER("CommandLine") LIKE '%wireshark%'
           OR LOWER("CommandLine") LIKE '%procmon%'
           OR LOWER("CommandLine") LIKE '%procexp%'
           OR LOWER("CommandLine") LIKE '%processhacker%'
           OR LOWER("CommandLine") LIKE '%fiddler%'
           OR LOWER("CommandLine") LIKE '%x64dbg%'
           OR LOWER("CommandLine") LIKE '%ollydbg%'
           OR LOWER("CommandLine") LIKE '%windbg%'
           OR LOWER("CommandLine") LIKE '%pestudio%'
           OR LOWER("CommandLine") LIKE '%dnspy%')
      THEN 2 ELSE 0
  END +
  CASE
    WHEN (LOWER("CommandLine") LIKE '%numberofcores%'
          OR LOWER("CommandLine") LIKE '%totalphysicalmemory%'
          OR LOWER("CommandLine") LIKE '%vmwarehostopen%')
      AND LOWER("ProcessPath") NOT LIKE '%sccm%'
      AND LOWER("ProcessPath") NOT LIKE '%manageengine%'
      THEN 1 ELSE 0
  END AS "SuspicionScore",
  CATEGORYNAME(category) AS "Category"
FROM events
WHERE
  LOGSOURCETYPEID IN (119, 143, 382)
  AND QIDNAME(qid) IN ('Process Create', 'Process Opened', 'Windows Process Created')
  AND (
    (LOWER("ProcessPath") LIKE '%wmic%' AND (
      LOWER("CommandLine") LIKE '%msacpi_thermalzone%' OR
      LOWER("CommandLine") LIKE '%win32_fan%' OR
      LOWER("CommandLine") LIKE '%win32_computersystem%' OR
      LOWER("CommandLine") LIKE '%win32_bios%' OR
      LOWER("CommandLine") LIKE '%win32_diskdrive%' OR
      LOWER("CommandLine") LIKE '%win32_physicalmemory%' OR
      LOWER("CommandLine") LIKE '%win32_videocontroller%'
    )) OR
    (LOWER("ProcessPath") LIKE '%reg.exe%' AND (
      LOWER("CommandLine") LIKE '%vmware%' OR
      LOWER("CommandLine") LIKE '%virtualbox%' OR
      LOWER("CommandLine") LIKE '%vboxguest%' OR
      LOWER("CommandLine") LIKE '%qemu%' OR
      LOWER("CommandLine") LIKE '%hyper-v%' OR
      LOWER("CommandLine") LIKE '%ven_15ad%' OR
      LOWER("CommandLine") LIKE '%ven_80ee%'
    )) OR
    LOWER("CommandLine") LIKE '%vboxmouse.sys%' OR
    LOWER("CommandLine") LIKE '%vboxguest.sys%' OR
    LOWER("CommandLine") LIKE '%vmhgfs.sys%' OR
    LOWER("CommandLine") LIKE '%vmmouse.sys%' OR
    LOWER("CommandLine") LIKE '%vmci.sys%' OR
    LOWER("CommandLine") LIKE '%vboxdisp.dll%' OR
    LOWER("CommandLine") LIKE '%vmguestlib.dll%' OR
    ((LOWER("CommandLine") LIKE '%tasklist%' OR LOWER("CommandLine") LIKE '%get-process%') AND (
      LOWER("CommandLine") LIKE '%wireshark%' OR
      LOWER("CommandLine") LIKE '%procmon%' OR
      LOWER("CommandLine") LIKE '%x64dbg%' OR
      LOWER("CommandLine") LIKE '%ollydbg%' OR
      LOWER("CommandLine") LIKE '%pestudio%' OR
      LOWER("CommandLine") LIKE '%dnspy%'
    )) OR
    LOWER("CommandLine") LIKE '%numberofcores%' OR
    LOWER("CommandLine") LIKE '%totalphysicalmemory%' OR
    LOWER("CommandLine") LIKE '%vmwarehostopen%'
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity high confidence

Data Sources

IBM QRadar SIEM with Windows Sysmon DSM QRadar with Microsoft Windows Security Event Log DSM QRadar Universal DSM for Windows Event Forwarding

Required Tables

events (QRadar normalized event store) Sysmon Event ID 1 (Process Create) — LOGSOURCETYPEID 119 Windows Security Event ID 4688 — LOGSOURCETYPEID 143

False Positives

SCCM/MECM hardware inventory cycles use wmic.exe to collect Win32_Processor, Win32_BIOS, and Win32_DiskDrive at scheduled intervals — exclude by adding LOGSOURCENAME filter or a known-good host reference set for managed endpoints.
Virtual machine host managers (VMware vCenter agents, Hyper-V host agents) running on hypervisor management VMs will frequently query VMware and Hyper-V registry paths during health checks; create a QRadar reference set of authorised management hosts to suppress.
Enterprise monitoring agents (Zabbix, Nagios, Datadog) may execute systeminfo or wmic for performance baseline collection; verify against the asset classification database before generating offenses.
Security scanner agents (Qualys Cloud Agent, Rapid7 Insight Agent) enumerate hardware details including NumberOfCores and TotalPhysicalMemory as part of authenticated vulnerability scans — correlate event timing against scheduled scan windows.

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*)
| where EventID=1 OR EventID=4688
| parse regex "(?i)Image=(?<Image>[^\n\r]+)" nodrop
| parse regex "(?i)CommandLine=(?<CommandLine>[^\n\r]+)" nodrop
| parse regex "(?i)ParentImage=(?<ParentImage>[^\n\r]+)" nodrop
| parse regex "(?i)User=(?<User>[^\n\r]+)" nodrop
| where !(isNull(CommandLine))
| eval cmd = toLowerCase(CommandLine)
| eval img = toLowerCase(Image)
| eval parentimg = toLowerCase(ParentImage)
// WMI VM Hardware Queries
| eval WMIVMCheck = if(
    matches(img, ".*wmic.*") AND
    matches(cmd, "(msacpi_thermalzonetemperature|win32_fan|win32_computersystem|win32_bios|win32_baseboard|win32_diskdrive|win32_physicalmemory|win32_processor|win32_videocontroller)"),
    2, 0)
// Registry VM Key Enumeration
| eval RegistryVMCheck = if(
    matches(img, ".*reg\\.exe.*") AND
    matches(cmd, "(vmware|virtualbox|vboxguest|qemu|xen|hyper-v|ven_15ad|ven_80ee|ven_1ab8)"),
    2, 0)
// VM Guest Driver File References
| eval DriverFileCheck = if(
    matches(cmd, "(vboxmouse\\.sys|vboxguest\\.sys|vboxsf\\.sys|vmhgfs\\.sys|vmmouse\\.sys|vmci\\.sys|vboxdisp\\.dll|vmguestlib\\.dll)"),
    2, 0)
// Analysis Tool Process Enumeration
| eval AnalysisToolScan = if(
    matches(cmd, "(tasklist|get-process)") AND
    matches(cmd, "(wireshark|procmon|procexp|processhacker|fiddler|x64dbg|x32dbg|ollydbg|ida64|idaq|windbg|autoruns|tcpdump|dumpcap|pestudio|dnspy)"),
    2, 0)
// Hardware Fingerprinting
| eval HardwareCheck = if(
    matches(cmd, "(numberofcores|totalphysicalmemory|vmwarehostopen|win32_diskdrive|win32_videocontroller)") AND
    !matches(img, "(sccm|manageengine|lansweeper|intune|tanium)"),
    1, 0)
// Suspicious systeminfo spawned from non-standard parent
| eval SysinfoAnomalous = if(
    matches(img, ".*systeminfo.*") AND
    !matches(parentimg, "(cmd\\.exe|explorer\\.exe|svchost\\.exe)"),
    1, 0)
| eval SuspicionScore = WMIVMCheck + RegistryVMCheck + DriverFileCheck + AnalysisToolScan + HardwareCheck + SysinfoAnomalous
| where SuspicionScore > 0
| fields _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, WMIVMCheck, RegistryVMCheck, DriverFileCheck, AnalysisToolScan, HardwareCheck, SysinfoAnomalous, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Windows Sysmon source (Event ID 1) Sumo Logic Windows Event Log source (Event ID 4688 with command line auditing enabled) Sumo Logic Cloud SIEM with Windows normalized schema

Required Tables

_sourceCategory matching *windows*sysmon* for Sysmon EventID 1 _sourceCategory matching *wineventlog* for Security EventID 4688 Process command-line auditing must be enabled via Group Policy or Sysmon config

False Positives

IT asset discovery tools (Lansweeper, Spiceworks, PDQ Inventory) run scheduled wmic.exe queries against Win32_ComputerSystem, Win32_BIOS, and Win32_Processor — create an allowlist field extraction rule scoping to known discovery service accounts.
VMware Tools and VirtualBox Guest Additions silently reference their own registry paths and driver files during version checks and upgrades; baseline by correlating with known VM hostname patterns and the VBoxService or VMwareService parent process.
Red team exercises and authorised penetration testing engagements will trigger WMI and registry checks during host enumeration; correlate with approved testing windows and source IP ranges before escalating.
Windows Defender ATP and CrowdStrike Falcon sensor processes query hardware information including NumberOfCores and TotalPhysicalMemory during sensor health reporting — exclude endpoint security agent process names from the HardwareCheck branch.

Google Chronicle / SecOps

yaral

rule t1497_001_virtualization_sandbox_evasion_checks {
  meta:
    author = "Detection Engineering"
    description = "Detects T1497.001 - Adversary system checks to detect virtualization and analysis environments. Covers WMI hardware class queries, VM registry key enumeration, VM guest driver file references, analysis tool scanning, hardware fingerprinting, and anomalous systeminfo execution."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1497.001"
    mitre_attack_subtechnique = "System Checks"
    platforms = "Windows"
    false_positives = "IT asset management, VMware Tools, SCCM hardware inventory"
    version = "1.0"
    created = "2026-04-14"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.command_line = $cmdline
    $e.target.process.file.full_path = $imgpath

    (
      // Branch 1: wmic.exe querying VM-indicative WMI hardware classes
      (
        re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`) and
        re.regex($e.target.process.command_line,
          `(?i)(MSAcpi_ThermalZoneTemperature|Win32_Fan|Win32_ComputerSystem|Win32_BIOS|Win32_BaseBoard|Win32_DiskDrive|Win32_PhysicalMemory|Win32_Processor|Win32_VideoController)`)
      ) or
      // Branch 2: reg.exe querying VM-specific registry paths
      (
        re.regex($e.target.process.file.full_path, `(?i)\\reg\.exe$`) and
        re.regex($e.target.process.command_line,
          `(?i)(VMware|VirtualBox|VBoxGuest|QEMU|Xen|Hyper-V|VEN_15AD|VEN_80EE|VEN_1AB8)`)
      ) or
      // Branch 3: Any process referencing VM guest driver filenames
      re.regex($e.target.process.command_line,
        `(?i)(VBoxMouse\.sys|VBoxGuest\.sys|VBoxSF\.sys|vmhgfs\.sys|vmmouse\.sys|vmci\.sys|vboxdisp\.dll|vmGuestLib\.dll)`) or
      // Branch 4: tasklist/Get-Process filtered for known analysis and debug tools
      (
        re.regex($e.target.process.command_line, `(?i)(tasklist|Get-Process)`) and
        re.regex($e.target.process.command_line,
          `(?i)(wireshark|procmon|procexp|processhacker|fiddler|x64dbg|x32dbg|ollydbg|ida64|idaq|windbg|autoruns|tcpdump|dumpcap|regmon|filemon|pestudio|dnspy)`)
      ) or
      // Branch 5: Hardware fingerprinting commands
      re.regex($e.target.process.command_line,
        `(?i)(NumberOfCores|TotalPhysicalMemory|VMwareHostOpen\.exe|Win32_ComputerSystem WHERE Model)`) or
      // Branch 6: systeminfo.exe with anomalous parent process
      (
        re.regex($e.target.process.file.full_path, `(?i)\\systeminfo\.exe$`) and
        not re.regex($e.principal.process.file.full_path,
          `(?i)(\\cmd\.exe$|\\explorer\.exe$|\\svchost\.exe$|\\powershell\.exe$)`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle with Windows Sysmon UDM ingestion Chronicle with Microsoft Defender for Endpoint process telemetry Chronicle with Windows Security Event Log (Event ID 4688) via Bindplane or Cribl

Required Tables

UDM events of type PROCESS_LAUNCH target.process.command_line must be populated (requires Sysmon or MDE) principal.process.file.full_path for parent process filtering on Branch 6

False Positives

Automated hardware asset inventory scanning (SCCM, Tanium, Qualys) regularly executes wmic.exe Win32_ComputerSystem and Win32_Processor queries; exclude known management endpoints by adding a NOT condition on principal.hostname matching an IOC list of authorised management servers.
VMware vSphere/ESXi guest tools (vmtoolsd.exe, VMwareService.exe) query VMware registry keys during service startup and self-update checks; suppress by excluding the VMware Tools installation path in target.process.file.full_path.
Security operations engineers running manual host triage with process listing tools (Sysinternals Process Explorer, Process Hacker) will trigger the analysis tool scanning branch — correlate with analyst user accounts or workstation hostnames before creating a case.
Build and CI pipeline agents running on cloud VMs may enumerate NumberOfCores and TotalPhysicalMemory to size job execution; tie to known CI service accounts (e.g. jenkins, gitlab-runner) to create a suppression rule.

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\wmic\.exe|\\reg\.exe|\\systeminfo\.exe|\\cmd\.exe|\\powershell\.exe|\\pwsh\.exe)$/
| CommandLine = /(?i)(MSAcpi_ThermalZoneTemperature|Win32_Fan|Win32_ComputerSystem|Win32_BIOS|Win32_BaseBoard|Win32_DiskDrive|Win32_PhysicalMemory|Win32_Processor|Win32_VideoController|VMware|VirtualBox|VBoxGuest|QEMU|Xen|Hyper-V|VEN_15AD|VEN_80EE|VEN_1AB8|VBoxMouse\.sys|VBoxGuest\.sys|VBoxSF\.sys|vmhgfs\.sys|vmmouse\.sys|vmci\.sys|vboxdisp\.dll|vmGuestLib\.dll|NumberOfCores|TotalPhysicalMemory|VMwareHostOpen\.exe|wireshark|procmon|procexp|processhacker|fiddler|x64dbg|x32dbg|ollydbg|ida64|idaq|windbg|autoruns|tcpdump|dumpcap|pestudio|dnspy)/
// Categorise each match
| WMIVMCheck := if(
    ImageFileName = /(?i)\\wmic\.exe$/ AND
    CommandLine = /(?i)(MSAcpi_ThermalZoneTemperature|Win32_Fan|Win32_ComputerSystem|Win32_BIOS|Win32_BaseBoard|Win32_DiskDrive|Win32_PhysicalMemory|Win32_Processor|Win32_VideoController)/,
    "true", "false")
| RegistryVMCheck := if(
    ImageFileName = /(?i)\\reg\.exe$/ AND
    CommandLine = /(?i)(VMware|VirtualBox|VBoxGuest|QEMU|Xen|Hyper-V|VEN_15AD|VEN_80EE|VEN_1AB8)/,
    "true", "false")
| DriverFileCheck := if(
    CommandLine = /(?i)(VBoxMouse\.sys|VBoxGuest\.sys|VBoxSF\.sys|vmhgfs\.sys|vmmouse\.sys|vmci\.sys|vboxdisp\.dll|vmGuestLib\.dll)/,
    "true", "false")
| AnalysisToolScan := if(
    CommandLine = /(?i)(tasklist|Get-Process)/ AND
    CommandLine = /(?i)(wireshark|procmon|procexp|processhacker|fiddler|x64dbg|x32dbg|ollydbg|ida64|idaq|windbg|autoruns|tcpdump|dumpcap|pestudio|dnspy)/,
    "true", "false")
| HardwareCheck := if(
    CommandLine = /(?i)(NumberOfCores|TotalPhysicalMemory|VMwareHostOpen\.exe)/ AND
    ImageFileName != /(?i)(manageengine|lansweeper|sccm)/,
    "true", "false")
// Score: count true flags as numeric
| SuspicionScore := (if(WMIVMCheck=="true", 2, 0)) +
                    (if(RegistryVMCheck=="true", 2, 0)) +
                    (if(DriverFileCheck=="true", 2, 0)) +
                    (if(AnalysisToolScan=="true", 2, 0)) +
                    (if(HardwareCheck=="true", 1, 0))
| SuspicionScore > 0
| table(
    [@timestamp, ComputerName, UserName, ImageFileName, CommandLine,
     ParentBaseFileName, WMIVMCheck, RegistryVMCheck, DriverFileCheck,
     AnalysisToolScan, HardwareCheck, SuspicionScore],
    sortby="@timestamp", order="desc"
  )

high severity high confidence

Data Sources

CrowdStrike Falcon Insight EDR — ProcessRollup2 events CrowdStrike LogScale (Humio) SIEM ingesting Falcon event stream Falcon Data Replicator (FDR) feeding LogScale with process telemetry

Required Tables

ProcessRollup2 (#event_simpleName=ProcessRollup2) Falcon sensor policy must have 'Full command line capture' and 'Script-based execution monitoring' enabled CommandLine field must be populated — verify with: #event_simpleName=ProcessRollup2 | groupBy(ImageFileName, limit=10)

False Positives

CrowdStrike Falcon sensor self-diagnostics and CrowdStrike update processes may query NumberOfCores and system hardware as part of sensor telemetry collection — exclude by filtering on CrowdStrike's own process paths (e.g., ParentBaseFileName containing 'CSFalcon' or 'CrowdStrike').
Microsoft Endpoint Configuration Manager (MECM/SCCM) hardware inventory client actions execute wmic.exe queries against Win32_Processor, Win32_BIOS, and Win32_PhysicalMemory on a scheduled basis; create a LogScale saved query to baseline SCCM host inventory timing and suppress.
Virtual desktop infrastructure (VDI) golden image creation processes often enumerate VM hardware to detect VirtualBox or VMware for driver optimisation during OS provisioning — correlate with known VDI build hosts and provisioning service accounts.
Forensic and incident response analysts using Sysinternals Autoruns, Process Explorer, or x64dbg during active investigations will trigger the AnalysisToolScan branch; establish an analyst workstation group in Falcon host management to suppress these hosts during declared IR windows.

Last updated: 2026-04-14 Research depth: deep

References (6)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1497.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

System Checks

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections