T1497.001 Google Chronicle · YARA-L

Detect System Checks in Google Chronicle

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. Checks may include WMI queries for BIOS manufacturer, system model, temperature sensors, and fan hardware; registry queries for VMware/VirtualBox/QEMU/Hyper-V keys; file system checks for VM guest tools and drivers; hardware enumeration for VM-specific PCI vendor IDs; process enumeration for analysis and monitoring tools; and CPU core count / memory / disk size validation. Malware families including GravityRAT, Lumma Stealer, Bumblebee, QakBot, DarkTortilla, and FinFisher use extensive system checks before executing their core payloads.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Sub-technique
T1497.001 System Checks
Canonical reference
https://attack.mitre.org/techniques/T1497/001/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1497_001_virtualization_sandbox_evasion_checks {
  meta:
    author = "Detection Engineering"
    description = "Detects T1497.001 - Adversary system checks to detect virtualization and analysis environments. Covers WMI hardware class queries, VM registry key enumeration, VM guest driver file references, analysis tool scanning, hardware fingerprinting, and anomalous systeminfo execution."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1497.001"
    mitre_attack_subtechnique = "System Checks"
    platforms = "Windows"
    false_positives = "IT asset management, VMware Tools, SCCM hardware inventory"
    version = "1.0"
    created = "2026-04-14"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.command_line = $cmdline
    $e.target.process.file.full_path = $imgpath

    (
      // Branch 1: wmic.exe querying VM-indicative WMI hardware classes
      (
        re.regex($e.target.process.file.full_path, `(?i)\\wmic\.exe$`) and
        re.regex($e.target.process.command_line,
          `(?i)(MSAcpi_ThermalZoneTemperature|Win32_Fan|Win32_ComputerSystem|Win32_BIOS|Win32_BaseBoard|Win32_DiskDrive|Win32_PhysicalMemory|Win32_Processor|Win32_VideoController)`)
      ) or
      // Branch 2: reg.exe querying VM-specific registry paths
      (
        re.regex($e.target.process.file.full_path, `(?i)\\reg\.exe$`) and
        re.regex($e.target.process.command_line,
          `(?i)(VMware|VirtualBox|VBoxGuest|QEMU|Xen|Hyper-V|VEN_15AD|VEN_80EE|VEN_1AB8)`)
      ) or
      // Branch 3: Any process referencing VM guest driver filenames
      re.regex($e.target.process.command_line,
        `(?i)(VBoxMouse\.sys|VBoxGuest\.sys|VBoxSF\.sys|vmhgfs\.sys|vmmouse\.sys|vmci\.sys|vboxdisp\.dll|vmGuestLib\.dll)`) or
      // Branch 4: tasklist/Get-Process filtered for known analysis and debug tools
      (
        re.regex($e.target.process.command_line, `(?i)(tasklist|Get-Process)`) and
        re.regex($e.target.process.command_line,
          `(?i)(wireshark|procmon|procexp|processhacker|fiddler|x64dbg|x32dbg|ollydbg|ida64|idaq|windbg|autoruns|tcpdump|dumpcap|regmon|filemon|pestudio|dnspy)`)
      ) or
      // Branch 5: Hardware fingerprinting commands
      re.regex($e.target.process.command_line,
        `(?i)(NumberOfCores|TotalPhysicalMemory|VMwareHostOpen\.exe|Win32_ComputerSystem WHERE Model)`) or
      // Branch 6: systeminfo.exe with anomalous parent process
      (
        re.regex($e.target.process.file.full_path, `(?i)\\systeminfo\.exe$`) and
        not re.regex($e.principal.process.file.full_path,
          `(?i)(\\cmd\.exe$|\\explorer\.exe$|\\svchost\.exe$|\\powershell\.exe$)`)
      )
    )

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting T1497.001 virtualisation and sandbox awareness checks using UDM PROCESS_LAUNCH events. Six detection branches cover the full technique scope: WMI hardware class enumeration via wmic.exe, VM-specific registry path queries via reg.exe, VM guest driver filename references in any command line, analysis/debug tool process enumeration using tasklist or Get-Process, hardware fingerprinting via NumberOfCores or TotalPhysicalMemory, and systeminfo.exe spawned from a non-standard parent. Matches any single branch, enabling detection of stealthy single-vector checks alongside combined multi-vector pre-execution evasion.

Data Sources

Google Chronicle with Windows Sysmon UDM ingestionChronicle with Microsoft Defender for Endpoint process telemetryChronicle with Windows Security Event Log (Event ID 4688) via Bindplane or Cribl

Required Tables

UDM events of type PROCESS_LAUNCHtarget.process.command_line must be populated (requires Sysmon or MDE)principal.process.file.full_path for parent process filtering on Branch 6

False Positives & Tuning

  • Automated hardware asset inventory scanning (SCCM, Tanium, Qualys) regularly executes wmic.exe Win32_ComputerSystem and Win32_Processor queries; exclude known management endpoints by adding a NOT condition on principal.hostname matching an IOC list of authorised management servers.
  • VMware vSphere/ESXi guest tools (vmtoolsd.exe, VMwareService.exe) query VMware registry keys during service startup and self-update checks; suppress by excluding the VMware Tools installation path in target.process.file.full_path.
  • Security operations engineers running manual host triage with process listing tools (Sysinternals Process Explorer, Process Hacker) will trigger the analysis tool scanning branch — correlate with analyst user accounts or workstation hostnames before creating a case.
  • Build and CI pipeline agents running on cloud VMs may enumerate NumberOfCores and TotalPhysicalMemory to size job execution; tie to known CI service accounts (e.g. jenkins, gitlab-runner) to create a suppression rule.
Download portable Sigma rule (.yml)

Other platforms for T1497.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI BIOS and system model query for VM detection

    Expected signal: Sysmon Event ID 1: two Process Create events for wmic.exe with 'computersystem get model' and 'bios get serialnumber' command lines. WMI Operational log entries for both queries.

  2. Test 2Check for VM drivers on file system

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with driver file path checks in command line. File access events may be generated if the files exist.

  3. Test 3Enumerate running analysis tools with tasklist

    Expected signal: Sysmon Event ID 1: Process Create for tasklist.exe piped to findstr.exe with analysis tool names. Two process events generated (tasklist + findstr).

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1497Virtualization/Sandbox Evasion

Related Sub-techniques

T1497.002User Activity Based ChecksT1497.003Time Based Checks

Related Techniques

T1497Virtualization/Sandbox EvasionT1497.002User Activity Based ChecksT1497.003Time Based ChecksT1082System Information DiscoveryT1012Query RegistryT1057Process DiscoveryT1047Windows Management InstrumentationT1083File and Directory Discovery

Same Tactic: Defense Evasion

Popular Detections