T1497.001 IBM QRadar · QRadar

Detect System Checks in IBM QRadar

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. Checks may include WMI queries for BIOS manufacturer, system model, temperature sensors, and fan hardware; registry queries for VMware/VirtualBox/QEMU/Hyper-V keys; file system checks for VM guest tools and drivers; hardware enumeration for VM-specific PCI vendor IDs; process enumeration for analysis and monitoring tools; and CPU core count / memory / disk size validation. Malware families including GravityRAT, Lumma Stealer, Bumblebee, QakBot, DarkTortilla, and FinFisher use extensive system checks before executing their core payloads.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Sub-technique
T1497.001 System Checks
Canonical reference
https://attack.mitre.org/techniques/T1497/001/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  sourceip AS "Source IP",
  username AS "Username",
  "ProcessPath" AS "Process Image",
  "CommandLine" AS "Command Line",
  "ParentProcessPath" AS "Parent Image",
  CASE
    WHEN LOWER("ProcessPath") LIKE '%wmic%'
      AND (LOWER("CommandLine") LIKE '%msacpi_thermalzone%'
           OR LOWER("CommandLine") LIKE '%win32_fan%'
           OR LOWER("CommandLine") LIKE '%win32_computersystem%'
           OR LOWER("CommandLine") LIKE '%win32_bios%'
           OR LOWER("CommandLine") LIKE '%win32_baseboard%'
           OR LOWER("CommandLine") LIKE '%win32_diskdrive%'
           OR LOWER("CommandLine") LIKE '%win32_physicalmemory%'
           OR LOWER("CommandLine") LIKE '%win32_processor%'
           OR LOWER("CommandLine") LIKE '%win32_videocontroller%')
      THEN 2 ELSE 0
  END +
  CASE
    WHEN LOWER("ProcessPath") LIKE '%reg.exe%'
      AND (LOWER("CommandLine") LIKE '%vmware%'
           OR LOWER("CommandLine") LIKE '%virtualbox%'
           OR LOWER("CommandLine") LIKE '%vboxguest%'
           OR LOWER("CommandLine") LIKE '%qemu%'
           OR LOWER("CommandLine") LIKE '%xen%'
           OR LOWER("CommandLine") LIKE '%hyper-v%'
           OR LOWER("CommandLine") LIKE '%ven_15ad%'
           OR LOWER("CommandLine") LIKE '%ven_80ee%'
           OR LOWER("CommandLine") LIKE '%ven_1ab8%')
      THEN 2 ELSE 0
  END +
  CASE
    WHEN LOWER("CommandLine") LIKE '%vboxmouse.sys%'
      OR LOWER("CommandLine") LIKE '%vboxguest.sys%'
      OR LOWER("CommandLine") LIKE '%vboxsf.sys%'
      OR LOWER("CommandLine") LIKE '%vmhgfs.sys%'
      OR LOWER("CommandLine") LIKE '%vmmouse.sys%'
      OR LOWER("CommandLine") LIKE '%vmci.sys%'
      OR LOWER("CommandLine") LIKE '%vboxdisp.dll%'
      OR LOWER("CommandLine") LIKE '%vmguestlib.dll%'
      THEN 2 ELSE 0
  END +
  CASE
    WHEN (LOWER("CommandLine") LIKE '%tasklist%' OR LOWER("CommandLine") LIKE '%get-process%')
      AND (LOWER("CommandLine") LIKE '%wireshark%'
           OR LOWER("CommandLine") LIKE '%procmon%'
           OR LOWER("CommandLine") LIKE '%procexp%'
           OR LOWER("CommandLine") LIKE '%processhacker%'
           OR LOWER("CommandLine") LIKE '%fiddler%'
           OR LOWER("CommandLine") LIKE '%x64dbg%'
           OR LOWER("CommandLine") LIKE '%ollydbg%'
           OR LOWER("CommandLine") LIKE '%windbg%'
           OR LOWER("CommandLine") LIKE '%pestudio%'
           OR LOWER("CommandLine") LIKE '%dnspy%')
      THEN 2 ELSE 0
  END +
  CASE
    WHEN (LOWER("CommandLine") LIKE '%numberofcores%'
          OR LOWER("CommandLine") LIKE '%totalphysicalmemory%'
          OR LOWER("CommandLine") LIKE '%vmwarehostopen%')
      AND LOWER("ProcessPath") NOT LIKE '%sccm%'
      AND LOWER("ProcessPath") NOT LIKE '%manageengine%'
      THEN 1 ELSE 0
  END AS "SuspicionScore",
  CATEGORYNAME(category) AS "Category"
FROM events
WHERE
  LOGSOURCETYPEID IN (119, 143, 382)
  AND QIDNAME(qid) IN ('Process Create', 'Process Opened', 'Windows Process Created')
  AND (
    (LOWER("ProcessPath") LIKE '%wmic%' AND (
      LOWER("CommandLine") LIKE '%msacpi_thermalzone%' OR
      LOWER("CommandLine") LIKE '%win32_fan%' OR
      LOWER("CommandLine") LIKE '%win32_computersystem%' OR
      LOWER("CommandLine") LIKE '%win32_bios%' OR
      LOWER("CommandLine") LIKE '%win32_diskdrive%' OR
      LOWER("CommandLine") LIKE '%win32_physicalmemory%' OR
      LOWER("CommandLine") LIKE '%win32_videocontroller%'
    )) OR
    (LOWER("ProcessPath") LIKE '%reg.exe%' AND (
      LOWER("CommandLine") LIKE '%vmware%' OR
      LOWER("CommandLine") LIKE '%virtualbox%' OR
      LOWER("CommandLine") LIKE '%vboxguest%' OR
      LOWER("CommandLine") LIKE '%qemu%' OR
      LOWER("CommandLine") LIKE '%hyper-v%' OR
      LOWER("CommandLine") LIKE '%ven_15ad%' OR
      LOWER("CommandLine") LIKE '%ven_80ee%'
    )) OR
    LOWER("CommandLine") LIKE '%vboxmouse.sys%' OR
    LOWER("CommandLine") LIKE '%vboxguest.sys%' OR
    LOWER("CommandLine") LIKE '%vmhgfs.sys%' OR
    LOWER("CommandLine") LIKE '%vmmouse.sys%' OR
    LOWER("CommandLine") LIKE '%vmci.sys%' OR
    LOWER("CommandLine") LIKE '%vboxdisp.dll%' OR
    LOWER("CommandLine") LIKE '%vmguestlib.dll%' OR
    ((LOWER("CommandLine") LIKE '%tasklist%' OR LOWER("CommandLine") LIKE '%get-process%') AND (
      LOWER("CommandLine") LIKE '%wireshark%' OR
      LOWER("CommandLine") LIKE '%procmon%' OR
      LOWER("CommandLine") LIKE '%x64dbg%' OR
      LOWER("CommandLine") LIKE '%ollydbg%' OR
      LOWER("CommandLine") LIKE '%pestudio%' OR
      LOWER("CommandLine") LIKE '%dnspy%'
    )) OR
    LOWER("CommandLine") LIKE '%numberofcores%' OR
    LOWER("CommandLine") LIKE '%totalphysicalmemory%' OR
    LOWER("CommandLine") LIKE '%vmwarehostopen%'
  )
ORDER BY starttime DESC
LAST 24 HOURS
high severity high confidence

AQL rule for QRadar detecting T1497.001 sandbox and VM evasion checks. Queries process creation events from Windows Sysmon (LOGSOURCETYPEID 119), Windows Security (143), and Windows Event Forwarding (382) log sources. Computes a weighted SuspicionScore across five check categories: WMI hardware class enumeration, registry VM key queries, VM guest driver file references, analysis tool process scanning, and hardware fingerprinting. Scores of 2+ should trigger an offense; scores of 4+ represent confirmed multi-vector sandbox evasion attempts.

Data Sources

IBM QRadar SIEM with Windows Sysmon DSMQRadar with Microsoft Windows Security Event Log DSMQRadar Universal DSM for Windows Event Forwarding

Required Tables

events (QRadar normalized event store)Sysmon Event ID 1 (Process Create) — LOGSOURCETYPEID 119Windows Security Event ID 4688 — LOGSOURCETYPEID 143

False Positives & Tuning

  • SCCM/MECM hardware inventory cycles use wmic.exe to collect Win32_Processor, Win32_BIOS, and Win32_DiskDrive at scheduled intervals — exclude by adding LOGSOURCENAME filter or a known-good host reference set for managed endpoints.
  • Virtual machine host managers (VMware vCenter agents, Hyper-V host agents) running on hypervisor management VMs will frequently query VMware and Hyper-V registry paths during health checks; create a QRadar reference set of authorised management hosts to suppress.
  • Enterprise monitoring agents (Zabbix, Nagios, Datadog) may execute systeminfo or wmic for performance baseline collection; verify against the asset classification database before generating offenses.
  • Security scanner agents (Qualys Cloud Agent, Rapid7 Insight Agent) enumerate hardware details including NumberOfCores and TotalPhysicalMemory as part of authenticated vulnerability scans — correlate event timing against scheduled scan windows.
Download portable Sigma rule (.yml)

Other platforms for T1497.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI BIOS and system model query for VM detection

    Expected signal: Sysmon Event ID 1: two Process Create events for wmic.exe with 'computersystem get model' and 'bios get serialnumber' command lines. WMI Operational log entries for both queries.

  2. Test 2Check for VM drivers on file system

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with driver file path checks in command line. File access events may be generated if the files exist.

  3. Test 3Enumerate running analysis tools with tasklist

    Expected signal: Sysmon Event ID 1: Process Create for tasklist.exe piped to findstr.exe with analysis tool names. Two process events generated (tasklist + findstr).

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1497Virtualization/Sandbox Evasion

Related Sub-techniques

T1497.002User Activity Based ChecksT1497.003Time Based Checks

Related Techniques

T1497Virtualization/Sandbox EvasionT1497.002User Activity Based ChecksT1497.003Time Based ChecksT1082System Information DiscoveryT1012Query RegistryT1057Process DiscoveryT1047Windows Management InstrumentationT1083File and Directory Discovery

Same Tactic: Defense Evasion

Popular Detections