T1497.001 Sumo Logic CSE · Sumo

Detect System Checks in Sumo Logic CSE

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. Checks may include WMI queries for BIOS manufacturer, system model, temperature sensors, and fan hardware; registry queries for VMware/VirtualBox/QEMU/Hyper-V keys; file system checks for VM guest tools and drivers; hardware enumeration for VM-specific PCI vendor IDs; process enumeration for analysis and monitoring tools; and CPU core count / memory / disk size validation. Malware families including GravityRAT, Lumma Stealer, Bumblebee, QakBot, DarkTortilla, and FinFisher use extensive system checks before executing their core payloads.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Sub-technique
T1497.001 System Checks
Canonical reference
https://attack.mitre.org/techniques/T1497/001/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*wineventlog*)
| where EventID=1 OR EventID=4688
| parse regex "(?i)Image=(?<Image>[^\n\r]+)" nodrop
| parse regex "(?i)CommandLine=(?<CommandLine>[^\n\r]+)" nodrop
| parse regex "(?i)ParentImage=(?<ParentImage>[^\n\r]+)" nodrop
| parse regex "(?i)User=(?<User>[^\n\r]+)" nodrop
| where !(isNull(CommandLine))
| eval cmd = toLowerCase(CommandLine)
| eval img = toLowerCase(Image)
| eval parentimg = toLowerCase(ParentImage)
// WMI VM Hardware Queries
| eval WMIVMCheck = if(
    matches(img, ".*wmic.*") AND
    matches(cmd, "(msacpi_thermalzonetemperature|win32_fan|win32_computersystem|win32_bios|win32_baseboard|win32_diskdrive|win32_physicalmemory|win32_processor|win32_videocontroller)"),
    2, 0)
// Registry VM Key Enumeration
| eval RegistryVMCheck = if(
    matches(img, ".*reg\\.exe.*") AND
    matches(cmd, "(vmware|virtualbox|vboxguest|qemu|xen|hyper-v|ven_15ad|ven_80ee|ven_1ab8)"),
    2, 0)
// VM Guest Driver File References
| eval DriverFileCheck = if(
    matches(cmd, "(vboxmouse\\.sys|vboxguest\\.sys|vboxsf\\.sys|vmhgfs\\.sys|vmmouse\\.sys|vmci\\.sys|vboxdisp\\.dll|vmguestlib\\.dll)"),
    2, 0)
// Analysis Tool Process Enumeration
| eval AnalysisToolScan = if(
    matches(cmd, "(tasklist|get-process)") AND
    matches(cmd, "(wireshark|procmon|procexp|processhacker|fiddler|x64dbg|x32dbg|ollydbg|ida64|idaq|windbg|autoruns|tcpdump|dumpcap|pestudio|dnspy)"),
    2, 0)
// Hardware Fingerprinting
| eval HardwareCheck = if(
    matches(cmd, "(numberofcores|totalphysicalmemory|vmwarehostopen|win32_diskdrive|win32_videocontroller)") AND
    !matches(img, "(sccm|manageengine|lansweeper|intune|tanium)"),
    1, 0)
// Suspicious systeminfo spawned from non-standard parent
| eval SysinfoAnomalous = if(
    matches(img, ".*systeminfo.*") AND
    !matches(parentimg, "(cmd\\.exe|explorer\\.exe|svchost\\.exe)"),
    1, 0)
| eval SuspicionScore = WMIVMCheck + RegistryVMCheck + DriverFileCheck + AnalysisToolScan + HardwareCheck + SysinfoAnomalous
| where SuspicionScore > 0
| fields _messageTime, _sourceHost, User, Image, CommandLine, ParentImage, WMIVMCheck, RegistryVMCheck, DriverFileCheck, AnalysisToolScan, HardwareCheck, SysinfoAnomalous, SuspicionScore
| sort by SuspicionScore desc, _messageTime desc
high severity high confidence

Sumo Logic detection for T1497.001 virtualisation and sandbox evasion checks. Parses Sysmon Event ID 1 and Windows Security Event ID 4688 process creation logs to identify six categories of VM-awareness behaviour: WMI hardware class queries, VM-specific registry key enumeration, VM guest driver filename references, analysis tool process scanning, hardware fingerprinting commands, and anomalous systeminfo execution. Each category contributes to a weighted SuspicionScore; events scoring 2+ are surfaced. High-fidelity indicators (driver files, WMI VM classes) score 2 each, reducing noise from legitimate hardware queries.

Data Sources

Sumo Logic Windows Sysmon source (Event ID 1)Sumo Logic Windows Event Log source (Event ID 4688 with command line auditing enabled)Sumo Logic Cloud SIEM with Windows normalized schema

Required Tables

_sourceCategory matching *windows*sysmon* for Sysmon EventID 1_sourceCategory matching *wineventlog* for Security EventID 4688Process command-line auditing must be enabled via Group Policy or Sysmon config

False Positives & Tuning

  • IT asset discovery tools (Lansweeper, Spiceworks, PDQ Inventory) run scheduled wmic.exe queries against Win32_ComputerSystem, Win32_BIOS, and Win32_Processor — create an allowlist field extraction rule scoping to known discovery service accounts.
  • VMware Tools and VirtualBox Guest Additions silently reference their own registry paths and driver files during version checks and upgrades; baseline by correlating with known VM hostname patterns and the VBoxService or VMwareService parent process.
  • Red team exercises and authorised penetration testing engagements will trigger WMI and registry checks during host enumeration; correlate with approved testing windows and source IP ranges before escalating.
  • Windows Defender ATP and CrowdStrike Falcon sensor processes query hardware information including NumberOfCores and TotalPhysicalMemory during sensor health reporting — exclude endpoint security agent process names from the HardwareCheck branch.
Download portable Sigma rule (.yml)

Other platforms for T1497.001

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI BIOS and system model query for VM detection

    Expected signal: Sysmon Event ID 1: two Process Create events for wmic.exe with 'computersystem get model' and 'bios get serialnumber' command lines. WMI Operational log entries for both queries.

  2. Test 2Check for VM drivers on file system

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with driver file path checks in command line. File access events may be generated if the files exist.

  3. Test 3Enumerate running analysis tools with tasklist

    Expected signal: Sysmon Event ID 1: Process Create for tasklist.exe piped to findstr.exe with analysis tool names. Two process events generated (tasklist + findstr).

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1497Virtualization/Sandbox Evasion

Related Sub-techniques

T1497.002User Activity Based ChecksT1497.003Time Based Checks

Related Techniques

T1497Virtualization/Sandbox EvasionT1497.002User Activity Based ChecksT1497.003Time Based ChecksT1082System Information DiscoveryT1012Query RegistryT1057Process DiscoveryT1047Windows Management InstrumentationT1083File and Directory Discovery

Same Tactic: Defense Evasion

Popular Detections