T1497.002 IBM QRadar · QRadar

Detect User Activity Based Checks in IBM QRadar

Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This includes checking mouse movement speed/frequency, click patterns, browser history and bookmarks, number of files on the desktop or in common directories, recently opened documents, and presence of user-created files. Some malware requires specific user interaction before activating, such as waiting for a document to close, a user to double-click an embedded image, or waiting for mouse button presses. Darkhotel checks mouse cursor position repeatedly, Okrum requires three left-clicks before executing, and FIN7 used embedded images requiring double-clicks to activate.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Sub-technique
T1497.002 User Activity Based Checks
Canonical reference
https://attack.mitre.org/techniques/T1497/002/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  LOGSOURCENAME(logsourceid) AS log_source,
  LOGSOURCETYPENAME(devicetype) AS source_type,
  username,
  sourceip,
  "Process Name" AS process_name,
  "Command Line" AS command_line,
  "Parent Process Name" AS parent_process_name,
  CASE WHEN LOWER("Command Line") MATCHES '(?i).*(getcursorpos|getlastinputinfo|mouse_event|setcursorpos|getasynckeystate).*' THEN 1 ELSE 0 END AS mouse_check,
  CASE WHEN LOWER("Command Line") MATCHES '(?i).*(getforegroundwindow|getdesktopwindow).*' THEN 1 ELSE 0 END AS window_check,
  CASE WHEN LOWER("Command Line") MATCHES '(?i).*(desktop|recent|downloads|documents).*'
    AND LOWER("Command Line") MATCHES '(?i).*(count|\.count|find /c|measure-object|wc -l).*' THEN 1 ELSE 0 END AS file_count_check,
  CASE WHEN LOWER("Command Line") MATCHES '(?i).*recentdocs.*' THEN 1 ELSE 0 END AS recentdocs_check,
  CASE WHEN LOWER("Command Line") MATCHES '(?i).*(history|bookmarks|cookies|places\.sqlite).*'
    AND NOT LOWER("Process Name") MATCHES '(?i).*(chrome|firefox|msedge|brave|opera).*' THEN 1 ELSE 0 END AS browser_history_check
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND (
    LOWER("Command Line") MATCHES '(?i).*(getcursorpos|getlastinputinfo|mouse_event|setcursorpos|getasynckeystate|getforegroundwindow|getdesktopwindow).*'
    OR (
      LOWER("Process Name") IN ('cmd.exe', 'powershell.exe')
      AND LOWER("Command Line") MATCHES '(?i).*(desktop|recent|downloads|documents).*'
      AND LOWER("Command Line") MATCHES '(?i).*(count|\.count|find /c|measure-object).*'
    )
    OR LOWER("Command Line") MATCHES '(?i).*recentdocs.*'
    OR (
      LOWER("Command Line") MATCHES '(?i).*(history|bookmarks|cookies|places\.sqlite).*'
      AND NOT LOWER("Process Name") MATCHES '(?i).*(chrome|firefox|msedge|brave|opera).*'
    )
  )
LAST 24 HOURS
ORDER BY devicetime DESC
medium severity medium confidence

QRadar AQL detection for T1497.002 using Windows Security and Sysmon process creation log sources. Computes per-event scores across five user activity enumeration subcategories: mouse Win32 APIs, window handle functions, file count operations on user directories, RecentDocs registry access, and browser data path queries from non-browser processes. The MATCHES operator applies Java-compatible regex against lowercased command line fields extracted by the Sysmon or Windows Security DSM.

Data Sources

Microsoft Windows Security Event Log (EventID 4688 with command line auditing enabled)Sysmon via Windows Event Log DSM (EventID 1)

Required Tables

events

False Positives & Tuning

  • RPA platforms such as UiPath, Blue Prism, or Automation Anywhere that use Win32 mouse and keyboard APIs during attended or unattended automation workflows
  • RMM agents such as ConnectWise Automate or Datto RMM executing PowerShell scripts that enumerate file counts in standard user profile directories for capacity reporting
  • Security awareness training or phishing simulation platforms that scan browser history or cookie stores to personalise lure content in authorised simulation campaigns
Download portable Sigma rule (.yml)

Other platforms for T1497.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Check desktop file count for sandbox detection

    Expected signal: Sysmon Event ID 1: Process Create for cmd.exe with 'dir /b' + Desktop path, piped to find.exe. Two process events generated.

  2. Test 2Check RecentDocs registry for user activity

    Expected signal: Sysmon Event ID 1: Process Create for reg.exe with RecentDocs query. Sysmon Event ID 13: Registry key access event for the RecentDocs path.

  3. Test 3PowerShell mouse position check for sandbox detection

    Expected signal: Sysmon Event ID 1: PowerShell process with GetCursorPos in command line. PowerShell ScriptBlock Log Event ID 4104 with the full P/Invoke code and mouse check logic.

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1497Virtualization/Sandbox Evasion

Related Sub-techniques

T1497.001System ChecksT1497.003Time Based Checks

Related Techniques

T1497Virtualization/Sandbox EvasionT1497.001System ChecksT1497.003Time Based ChecksT1033System Owner/User DiscoveryT1057Process DiscoveryT1204.002Malicious File

Same Tactic: Defense Evasion

Popular Detections