T1497.002 Google Chronicle · YARA-L

Detect User Activity Based Checks in Google Chronicle

Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This includes checking mouse movement speed/frequency, click patterns, browser history and bookmarks, number of files on the desktop or in common directories, recently opened documents, and presence of user-created files. Some malware requires specific user interaction before activating, such as waiting for a document to close, a user to double-click an embedded image, or waiting for mouse button presses. Darkhotel checks mouse cursor position repeatedly, Okrum requires three left-clicks before executing, and FIN7 used embedded images requiring double-clicks to activate.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Sub-technique
T1497.002 User Activity Based Checks
Canonical reference
https://attack.mitre.org/techniques/T1497/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1497_002_user_activity_based_checks {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects user activity enumeration techniques used to identify sandbox or VM analysis environments (T1497.002). Covers mouse Win32 API calls, window handle checks, user directory file count operations, RecentDocs registry access, and browser data path access by non-browser processes."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1497.002"
    severity = "MEDIUM"
    priority = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1497/002/"
    created = "2026-04-14"
    version = "1.0"
    yara_l_version = "2.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.target.process.command_line != ""
    (
      re.regex($e.target.process.command_line, `(?i)(getcursorpos|getlastinputinfo|mouse_event|setcursorpos|getasynckeystate|getforegroundwindow|getdesktopwindow)`)
      or (
        re.regex($e.target.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe)$`) and
        re.regex($e.target.process.command_line, `(?i)(desktop|recent|downloads|documents)`) and
        re.regex($e.target.process.command_line, `(?i)(count|\.count|find /c|measure-object)`)
      )
      or (
        re.regex($e.target.process.file.full_path, `(?i)reg\.exe$`) and
        re.regex($e.target.process.command_line, `(?i)recentdocs`)
      )
      or (
        re.regex($e.target.process.command_line, `(?i)(history|bookmarks|cookies|places\.sqlite)`) and
        not re.regex($e.target.process.file.full_path, `(?i)(chrome|firefox|msedge|brave|opera)\.exe$`)
      )
    )

  condition:
    $e
}
medium severity medium confidence

Chronicle YARA-L 2.0 rule detecting PROCESS_LAUNCH UDM events where the target process command line matches user activity enumeration patterns associated with T1497.002. Four detection branches cover: (1) direct mouse/window Win32 API string references in any process command line, (2) cmd.exe or powershell.exe performing file counts on user profile directories, (3) reg.exe querying the RecentDocs registry path, and (4) browser data path access by non-browser executables. Uses re.regex for case-insensitive matching against the UDM target.process.command_line field.

Data Sources

Google Chronicle via Windows event log forwarderChronicle Unified Data Model endpoint telemetry (PROCESS_LAUNCH events)BindPlane or Ops Agent forwarding Sysmon EventID 1

Required Tables

UDM entity graph — PROCESS_LAUNCH event type

False Positives & Tuning

  • Authorised GUI automation scripts using AutoHotkey, PyAutoGUI, or similar tools that legitimately call GetCursorPos or SetCursorPos APIs as part of scheduled UI testing
  • IT helpdesk or endpoint management scripts that count files in user profile directories (Desktop, Downloads, Recent) for storage reporting or profile size enforcement
  • Browser profile migration utilities or enterprise credential vault tools that access browser history or cookie directory paths during onboarding or synchronisation
Download portable Sigma rule (.yml)

Other platforms for T1497.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Check desktop file count for sandbox detection

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with 'dir /b' + Desktop path, piped to find.exe. Two process events generated.

  2. Test 2Check RecentDocs registry for user activity

    Expected signal: Sysmon Event ID 1: Process Create for reg.exe with RecentDocs query. Sysmon Event ID 13: Registry key access event for the RecentDocs path.

  3. Test 3PowerShell mouse position check for sandbox detection

    Expected signal: Sysmon Event ID 1: PowerShell process with GetCursorPos in command line. PowerShell ScriptBlock Log Event ID 4104 with the full P/Invoke code and mouse check logic.

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1497Virtualization/Sandbox Evasion

Related Sub-techniques

T1497.001System ChecksT1497.003Time Based Checks

Related Techniques

T1497Virtualization/Sandbox EvasionT1497.001System ChecksT1497.003Time Based ChecksT1033System Owner/User DiscoveryT1057Process DiscoveryT1204.002Malicious File

Same Tactic: Defense Evasion

Popular Detections