T1497.001 CrowdStrike LogScale · LogScale

Detect System Checks in CrowdStrike LogScale

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. Checks may include WMI queries for BIOS manufacturer, system model, temperature sensors, and fan hardware; registry queries for VMware/VirtualBox/QEMU/Hyper-V keys; file system checks for VM guest tools and drivers; hardware enumeration for VM-specific PCI vendor IDs; process enumeration for analysis and monitoring tools; and CPU core count / memory / disk size validation. Malware families including GravityRAT, Lumma Stealer, Bumblebee, QakBot, DarkTortilla, and FinFisher use extensive system checks before executing their core payloads.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Sub-technique
T1497.001 System Checks
Canonical reference
https://attack.mitre.org/techniques/T1497/001/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)(\\wmic\.exe|\\reg\.exe|\\systeminfo\.exe|\\cmd\.exe|\\powershell\.exe|\\pwsh\.exe)$/
| CommandLine = /(?i)(MSAcpi_ThermalZoneTemperature|Win32_Fan|Win32_ComputerSystem|Win32_BIOS|Win32_BaseBoard|Win32_DiskDrive|Win32_PhysicalMemory|Win32_Processor|Win32_VideoController|VMware|VirtualBox|VBoxGuest|QEMU|Xen|Hyper-V|VEN_15AD|VEN_80EE|VEN_1AB8|VBoxMouse\.sys|VBoxGuest\.sys|VBoxSF\.sys|vmhgfs\.sys|vmmouse\.sys|vmci\.sys|vboxdisp\.dll|vmGuestLib\.dll|NumberOfCores|TotalPhysicalMemory|VMwareHostOpen\.exe|wireshark|procmon|procexp|processhacker|fiddler|x64dbg|x32dbg|ollydbg|ida64|idaq|windbg|autoruns|tcpdump|dumpcap|pestudio|dnspy)/
// Categorise each match
| WMIVMCheck := if(
    ImageFileName = /(?i)\\wmic\.exe$/ AND
    CommandLine = /(?i)(MSAcpi_ThermalZoneTemperature|Win32_Fan|Win32_ComputerSystem|Win32_BIOS|Win32_BaseBoard|Win32_DiskDrive|Win32_PhysicalMemory|Win32_Processor|Win32_VideoController)/,
    "true", "false")
| RegistryVMCheck := if(
    ImageFileName = /(?i)\\reg\.exe$/ AND
    CommandLine = /(?i)(VMware|VirtualBox|VBoxGuest|QEMU|Xen|Hyper-V|VEN_15AD|VEN_80EE|VEN_1AB8)/,
    "true", "false")
| DriverFileCheck := if(
    CommandLine = /(?i)(VBoxMouse\.sys|VBoxGuest\.sys|VBoxSF\.sys|vmhgfs\.sys|vmmouse\.sys|vmci\.sys|vboxdisp\.dll|vmGuestLib\.dll)/,
    "true", "false")
| AnalysisToolScan := if(
    CommandLine = /(?i)(tasklist|Get-Process)/ AND
    CommandLine = /(?i)(wireshark|procmon|procexp|processhacker|fiddler|x64dbg|x32dbg|ollydbg|ida64|idaq|windbg|autoruns|tcpdump|dumpcap|pestudio|dnspy)/,
    "true", "false")
| HardwareCheck := if(
    CommandLine = /(?i)(NumberOfCores|TotalPhysicalMemory|VMwareHostOpen\.exe)/ AND
    ImageFileName != /(?i)(manageengine|lansweeper|sccm)/,
    "true", "false")
// Score: count true flags as numeric
| SuspicionScore := (if(WMIVMCheck=="true", 2, 0)) +
                    (if(RegistryVMCheck=="true", 2, 0)) +
                    (if(DriverFileCheck=="true", 2, 0)) +
                    (if(AnalysisToolScan=="true", 2, 0)) +
                    (if(HardwareCheck=="true", 1, 0))
| SuspicionScore > 0
| table(
    [@timestamp, ComputerName, UserName, ImageFileName, CommandLine,
     ParentBaseFileName, WMIVMCheck, RegistryVMCheck, DriverFileCheck,
     AnalysisToolScan, HardwareCheck, SuspicionScore],
    sortby="@timestamp", order="desc"
  )
high severity high confidence

CrowdStrike LogScale (Falcon SIEM) detection for T1497.001 using ProcessRollup2 events from the Falcon sensor. Filters on process image names associated with VM and sandbox enumeration, then applies weighted scoring across five detection branches: WMI hardware class queries (score 2), VM registry path enumeration (score 2), VM guest driver file references (score 2), analysis tool process scanning (score 2), and hardware fingerprinting (score 1). Returns all events with SuspicionScore > 0, ordered newest-first. Requires Falcon Insight (EDR) with Process telemetry enabled; CommandLine field availability depends on sensor policy configuration with full command line capture enabled.

Data Sources

CrowdStrike Falcon Insight EDR — ProcessRollup2 eventsCrowdStrike LogScale (Humio) SIEM ingesting Falcon event streamFalcon Data Replicator (FDR) feeding LogScale with process telemetry

Required Tables

ProcessRollup2 (#event_simpleName=ProcessRollup2)Falcon sensor policy must have 'Full command line capture' and 'Script-based execution monitoring' enabledCommandLine field must be populated — verify with: #event_simpleName=ProcessRollup2 | groupBy(ImageFileName, limit=10)

False Positives & Tuning

  • CrowdStrike Falcon sensor self-diagnostics and CrowdStrike update processes may query NumberOfCores and system hardware as part of sensor telemetry collection — exclude by filtering on CrowdStrike's own process paths (e.g., ParentBaseFileName containing 'CSFalcon' or 'CrowdStrike').
  • Microsoft Endpoint Configuration Manager (MECM/SCCM) hardware inventory client actions execute wmic.exe queries against Win32_Processor, Win32_BIOS, and Win32_PhysicalMemory on a scheduled basis; create a LogScale saved query to baseline SCCM host inventory timing and suppress.
  • Virtual desktop infrastructure (VDI) golden image creation processes often enumerate VM hardware to detect VirtualBox or VMware for driver optimisation during OS provisioning — correlate with known VDI build hosts and provisioning service accounts.
  • Forensic and incident response analysts using Sysinternals Autoruns, Process Explorer, or x64dbg during active investigations will trigger the AnalysisToolScan branch; establish an analyst workstation group in Falcon host management to suppress these hosts during declared IR windows.
Download portable Sigma rule (.yml)

Other platforms for T1497.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI BIOS and system model query for VM detection

    Expected signal: Sysmon Event ID 1: two Process Create events for wmic.exe with 'computersystem get model' and 'bios get serialnumber' command lines. WMI Operational log entries for both queries.

  2. Test 2Check for VM drivers on file system

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with driver file path checks in command line. File access events may be generated if the files exist.

  3. Test 3Enumerate running analysis tools with tasklist

    Expected signal: Sysmon Event ID 1: Process Create for tasklist.exe piped to findstr.exe with analysis tool names. Two process events generated (tasklist + findstr).

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1497Virtualization/Sandbox Evasion

Related Sub-techniques

T1497.002User Activity Based ChecksT1497.003Time Based Checks

Related Techniques

T1497Virtualization/Sandbox EvasionT1497.002User Activity Based ChecksT1497.003Time Based ChecksT1082System Information DiscoveryT1012Query RegistryT1057Process DiscoveryT1047Windows Management InstrumentationT1083File and Directory Discovery

Same Tactic: Defense Evasion

Popular Detections