Detect System Checks in Microsoft Sentinel
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. Checks may include WMI queries for BIOS manufacturer, system model, temperature sensors, and fan hardware; registry queries for VMware/VirtualBox/QEMU/Hyper-V keys; file system checks for VM guest tools and drivers; hardware enumeration for VM-specific PCI vendor IDs; process enumeration for analysis and monitoring tools; and CPU core count / memory / disk size validation. Malware families including GravityRAT, Lumma Stealer, Bumblebee, QakBot, DarkTortilla, and FinFisher use extensive system checks before executing their core payloads.
MITRE ATT&CK
- Tactic
- Defense Evasion Discovery
- Technique
- T1497 Virtualization/Sandbox Evasion
- Sub-technique
- T1497.001 System Checks
- Canonical reference
- https://attack.mitre.org/techniques/T1497/001/
KQL Detection Query
let WMIVMQueries = dynamic(["MSAcpi_ThermalZoneTemperature", "Win32_Fan", "Win32_ComputerSystem", "Win32_BIOS", "Win32_BaseBoard", "Win32_DiskDrive", "Win32_PhysicalMemory", "Win32_Processor", "Win32_VideoController"]);
let VMRegistryPaths = dynamic(["VMware", "VirtualBox", "VBoxGuest", "QEMU", "Xen", "Hyper-V", "Red Hat VirtIO", "VEN_15AD", "VEN_80EE", "VEN_1AB8"]);
let VMDriverFiles = dynamic(["VBoxMouse.sys", "VBoxGuest.sys", "VBoxSF.sys", "vmhgfs.sys", "vmmouse.sys", "vmci.sys", "vboxdisp.dll", "vmGuestLib.dll"]);
let AnalysisTools = dynamic(["wireshark", "procmon", "procexp", "processhacker", "fiddler", "x64dbg", "x32dbg", "ollydbg", "ida64", "idaq", "windbg", "autoruns", "tcpdump", "dumpcap", "regmon", "filemon", "pestudio", "dnspy"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (FileName =~ "wmic.exe" and ProcessCommandLine has_any (WMIVMQueries))
or (FileName =~ "reg.exe" and ProcessCommandLine has_any (VMRegistryPaths))
or (FileName in~ ("cmd.exe", "powershell.exe") and ProcessCommandLine has_any (VMDriverFiles))
or (ProcessCommandLine has_any ("tasklist", "Get-Process") and ProcessCommandLine has_any (AnalysisTools))
or (FileName =~ "systeminfo.exe" and InitiatingProcessFileName !in~ ("cmd.exe", "explorer.exe", "svchost.exe"))
or ProcessCommandLine has_any ("VMwareHostOpen.exe", "HKLM\\SOFTWARE\\VMware", "Win32_ComputerSystem WHERE Model", "NumberOfCores", "TotalPhysicalMemory")
| extend WMICheck = FileName =~ "wmic.exe" and ProcessCommandLine has_any (WMIVMQueries)
| extend RegistryCheck = FileName =~ "reg.exe" and ProcessCommandLine has_any (VMRegistryPaths)
| extend DriverCheck = ProcessCommandLine has_any (VMDriverFiles)
| extend ToolScan = ProcessCommandLine has_any ("tasklist", "Get-Process") and ProcessCommandLine has_any (AnalysisTools)
| extend HardwareCheck = ProcessCommandLine has_any ("NumberOfCores", "TotalPhysicalMemory", "Win32_DiskDrive", "Win32_VideoController")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
InitiatingProcessFileName, InitiatingProcessCommandLine,
WMICheck, RegistryCheck, DriverCheck, ToolScan, HardwareCheck
| sort by Timestamp descComprehensive detection for system-level VM and sandbox evasion checks. Covers five categories: (1) WMI queries for hardware properties that differ between physical and virtual machines, (2) Registry queries for virtualization software keys, (3) File system checks for VM drivers, (4) Process enumeration for analysis tools, and (5) Hardware resource checks (CPU cores, RAM, disk size, GPU). Detects techniques used by GravityRAT, Lumma Stealer, Bumblebee, QakBot, FinFisher, and InvisiMole.
Data Sources
Required Tables
False Positives & Tuning
- IT asset management tools (SCCM, Intune, ManageEngine, Lansweeper) running WMI hardware inventory queries
- System monitoring software collecting hardware sensor data for dashboards
- Endpoint security products performing hardware fingerprinting during enrollment
- Developers or QA teams running system information checks in VM test environments
Other platforms for T1497.001
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMI BIOS and system model query for VM detection
Expected signal: Sysmon Event ID 1: two Process Create events for wmic.exe with 'computersystem get model' and 'bios get serialnumber' command lines. WMI Operational log entries for both queries.
- Test 2Check for VM drivers on file system
Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with driver file path checks in command line. File access events may be generated if the files exist.
- Test 3Enumerate running analysis tools with tasklist
Expected signal: Sysmon Event ID 1: Process Create for tasklist.exe piped to findstr.exe with analysis tool names. Two process events generated (tasklist + findstr).
References (6)
- https://attack.mitre.org/techniques/T1497/001/
- https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
- https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
- https://github.com/a0rtega/pafish
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md
Unlock Pro Content
Get the full detection package for T1497.001 including response playbook, investigation guide, and atomic red team tests.