Detect System Checks in Elastic Security
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. Checks may include WMI queries for BIOS manufacturer, system model, temperature sensors, and fan hardware; registry queries for VMware/VirtualBox/QEMU/Hyper-V keys; file system checks for VM guest tools and drivers; hardware enumeration for VM-specific PCI vendor IDs; process enumeration for analysis and monitoring tools; and CPU core count / memory / disk size validation. Malware families including GravityRAT, Lumma Stealer, Bumblebee, QakBot, DarkTortilla, and FinFisher use extensive system checks before executing their core payloads.
MITRE ATT&CK
- Tactic
- Defense Evasion Discovery
- Technique
- T1497 Virtualization/Sandbox Evasion
- Sub-technique
- T1497.001 System Checks
- Canonical reference
- https://attack.mitre.org/techniques/T1497/001/
Elastic Detection Query
process where event.type == "start" and (
(
process.name : "wmic.exe" and
process.command_line : (
"*MSAcpi_ThermalZoneTemperature*", "*Win32_Fan*", "*Win32_ComputerSystem*",
"*Win32_BIOS*", "*Win32_BaseBoard*", "*Win32_DiskDrive*",
"*Win32_PhysicalMemory*", "*Win32_Processor*", "*Win32_VideoController*"
)
) or
(
process.name : "reg.exe" and
process.command_line : (
"*VMware*", "*VirtualBox*", "*VBoxGuest*", "*QEMU*",
"*Xen*", "*Hyper-V*", "*VEN_15AD*", "*VEN_80EE*", "*VEN_1AB8*"
)
) or
process.command_line : (
"*VBoxMouse.sys*", "*VBoxGuest.sys*", "*VBoxSF.sys*",
"*vmhgfs.sys*", "*vmmouse.sys*", "*vmci.sys*",
"*vboxdisp.dll*", "*vmGuestLib.dll*"
) or
(
process.command_line : ("*tasklist*", "*Get-Process*") and
process.command_line : (
"*wireshark*", "*procmon*", "*procexp*", "*processhacker*",
"*fiddler*", "*x64dbg*", "*x32dbg*", "*ollydbg*", "*ida64*",
"*idaq*", "*windbg*", "*autoruns*", "*tcpdump*", "*dumpcap*",
"*pestudio*", "*dnspy*"
)
) or
(
process.name : "systeminfo.exe" and
not process.parent.name : ("cmd.exe", "explorer.exe", "svchost.exe")
) or
process.command_line : (
"*NumberOfCores*", "*TotalPhysicalMemory*",
"*VMwareHostOpen.exe*", "*Win32_ComputerSystem WHERE Model*"
)
)Detects T1497.001 system checks used by malware to detect virtualization and analysis environments. Monitors for WMI queries targeting BIOS/hardware WMI classes, registry enumeration of VM-specific keys (VMware, VirtualBox, QEMU, Hyper-V, Xen), filesystem checks for VM guest driver files, process enumeration targeting known analysis and debugging tools, and hardware fingerprinting via CPU core count and memory size queries. Covers malware families including GravityRAT, Lumma Stealer, Bumblebee, QakBot, and FinFisher.
Data Sources
Required Tables
False Positives & Tuning
- IT asset management platforms such as SCCM, Tanium, Lansweeper, and ManageEngine routinely query Win32_ComputerSystem, Win32_BIOS, and Win32_Processor for hardware inventory — tune by excluding known management process parent names or source hostnames.
- VMware vSphere management agents and VMware Tools updaters may legitimately query VMware registry keys and call VMwareHostOpen.exe as part of guest tools maintenance; baseline these by host and parent process.
- Security engineers and analysts running manual triage may invoke wmic, systeminfo, or tasklist with analysis tool names during incident response; correlate with change tickets or known analyst workstations before escalating.
- Software deployment automation (Chocolatey, Ansible WinRM, Puppet) may call systeminfo.exe or wmic to validate hardware prerequisites before installing packages, often spawned from non-standard parent processes.
- Hypervisor self-check scripts in developer and QA environments frequently enumerate NumberOfCores and TotalPhysicalMemory to enforce minimum resource requirements before running build pipelines.
Other platforms for T1497.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMI BIOS and system model query for VM detection
Expected signal: Sysmon Event ID 1: two Process Create events for wmic.exe with 'computersystem get model' and 'bios get serialnumber' command lines. WMI Operational log entries for both queries.
- Test 2Check for VM drivers on file system
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with driver file path checks in command line. File access events may be generated if the files exist.
- Test 3Enumerate running analysis tools with tasklist
Expected signal: Sysmon Event ID 1: Process Create for tasklist.exe piped to findstr.exe with analysis tool names. Two process events generated (tasklist + findstr).
References (6)
- https://attack.mitre.org/techniques/T1497/001/
- https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
- https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
- https://github.com/a0rtega/pafish
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
Unlock Pro Content
Get the full detection package for T1497.001 including response playbook, investigation guide, and atomic red team tests.