T1497.001 Splunk · SPL

Detect System Checks in Splunk

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. Checks may include WMI queries for BIOS manufacturer, system model, temperature sensors, and fan hardware; registry queries for VMware/VirtualBox/QEMU/Hyper-V keys; file system checks for VM guest tools and drivers; hardware enumeration for VM-specific PCI vendor IDs; process enumeration for analysis and monitoring tools; and CPU core count / memory / disk size validation. Malware families including GravityRAT, Lumma Stealer, Bumblebee, QakBot, DarkTortilla, and FinFisher use extensive system checks before executing their core payloads.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Sub-technique
T1497.001 System Checks
Canonical reference
https://attack.mitre.org/techniques/T1497/001/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval WMIVMCheck=if(match(Image, "(?i)wmic") AND match(CommandLine, "(msacpi_thermalzonetemperature|win32_fan|win32_computersystem|win32_bios|win32_baseboard|win32_diskdrive|win32_physicalmemory|win32_processor|win32_videocontroller)"), 1, 0)
| eval RegistryVMCheck=if(match(Image, "(?i)reg\.exe") AND match(CommandLine, "(vmware|virtualbox|vboxguest|qemu|xen|hyper-v|ven_15ad|ven_80ee)"), 1, 0)
| eval DriverFileCheck=if(match(CommandLine, "(vboxmouse\.sys|vboxguest\.sys|vmhgfs\.sys|vmmouse\.sys|vmci\.sys|vboxdisp\.dll|vmguestlib\.dll)"), 1, 0)
| eval AnalysisToolScan=if(match(CommandLine, "(tasklist|get-process)") AND match(CommandLine, "(wireshark|procmon|procexp|processhacker|fiddler|x64dbg|x32dbg|ollydbg|ida|windbg|autoruns|tcpdump|pestudio|dnspy)"), 1, 0)
| eval HardwareCheck=if(match(CommandLine, "(numberofcores|totalphysicalmemory|win32_diskdrive|win32_videocontroller)") AND NOT match(Image, "(?i)(sccm|intune|lansweeper|manageengine)"), 1, 0)
| eval SuspicionScore=WMIVMCheck*2 + RegistryVMCheck*2 + DriverFileCheck*2 + AnalysisToolScan*2 + HardwareCheck
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, WMIVMCheck, RegistryVMCheck, DriverFileCheck, AnalysisToolScan, HardwareCheck, SuspicionScore
| sort - _time
medium severity medium confidence

Comprehensive system check detection covering WMI hardware queries, VM registry artifact queries, VM driver file checks, analysis tool process scanning, and hardware resource enumeration. Scores each check category and excludes known IT management tool process names to reduce false positives.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • IT asset management tools running WMI hardware queries
  • System monitoring software collecting hardware data
  • Endpoint security products during hardware fingerprinting
  • System administrators running manual hardware checks
Download portable Sigma rule (.yml)

Other platforms for T1497.001

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI BIOS and system model query for VM detection

    Expected signal: Sysmon Event ID 1: two Process Create events for wmic.exe with 'computersystem get model' and 'bios get serialnumber' command lines. WMI Operational log entries for both queries.

  2. Test 2Check for VM drivers on file system

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with driver file path checks in command line. File access events may be generated if the files exist.

  3. Test 3Enumerate running analysis tools with tasklist

    Expected signal: Sysmon Event ID 1: Process Create for tasklist.exe piped to findstr.exe with analysis tool names. Two process events generated (tasklist + findstr).

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1497Virtualization/Sandbox Evasion

Related Sub-techniques

T1497.002User Activity Based ChecksT1497.003Time Based Checks

Related Techniques

T1497Virtualization/Sandbox EvasionT1497.002User Activity Based ChecksT1497.003Time Based ChecksT1082System Information DiscoveryT1012Query RegistryT1057Process DiscoveryT1047Windows Management InstrumentationT1083File and Directory Discovery

Same Tactic: Defense Evasion

Popular Detections