T1497 Google Chronicle · YARA-L

Detect Virtualization/Sandbox Evasion in Google Chronicle

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Methods include checking for security monitoring tools, system artifacts associated with virtualization, legitimate user activity patterns, and time-based anomalies.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Canonical reference
https://attack.mitre.org/techniques/T1497/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1497_vm_sandbox_evasion {
  meta:
    author = "Detection Engineering"
    description = "Detects T1497 Virtualization/Sandbox Evasion via WMI hardware queries, VM registry enumeration, and sandbox tool scanning"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1497"
    severity = "HIGH"
    confidence = "MEDIUM"
    reference = "https://attack.mitre.org/techniques/T1497/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      (
        $e.target.process.file.basename = /(?i)wmic\.exe/ and
        $e.target.process.command_line = /(?i)(MSAcpi_ThermalZoneTemperature|Win32_Fan|Win32_ComputerSystem|Win32_BaseBoard|Win32_BIOS)/
      ) or
      (
        $e.target.process.file.basename = /(?i)reg\.exe/ and
        $e.target.process.command_line = /(?i)(VMware|VirtualBox|VBoxGuest|QEMU|VEN_15AD|VEN_80EE)/
      ) or
      (
        $e.target.process.command_line = /(?i)tasklist/ and
        $e.target.process.command_line = /(?i)(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida64|idaq|windbg|autoruns|regmon|filemon)/
      ) or
      $e.target.process.file.basename = /(?i)(vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga|VMwareHostOpen)\.exe/
    )

  condition:
    $e
}
high severity medium confidence

Chronicle YARA-L 2.0 rule detecting T1497 Virtualization/Sandbox Evasion. Matches PROCESS_LAUNCH UDM events using regex on target process basename (case-insensitive filename match without full path dependency) and command line. Covers all four evasion vectors detected in the reference KQL/SPL: WMI-based hardware fingerprinting via wmic.exe, VM vendor registry key querying via reg.exe, sandbox analysis tool enumeration via tasklist, and direct VM guest service process identification. The `condition: $e` fires on any single matching event.

Data Sources

Chronicle UDM via Google SecOpsWindows endpoint telemetry ingested via Chronicle Forwarder or third-party EDR UDM normalization

Required Tables

UDM PROCESS_LAUNCH events with target.process.file.basename and target.process.command_line populated

False Positives & Tuning

  • VMware ESXi or Workstation host management consoles spawning VMwareHostOpen.exe or vmtoolsd.exe as part of authorized guest VM lifecycle operations — add exclusion rule matching principal.hostname against known hypervisor host inventory
  • Enterprise software packaging and deployment systems (Microsoft SCCM task sequences, Intune Win32 app wrappers) that call wmic.exe to query Win32_ComputerSystem model and Win32_BIOS serial number for hardware-targeted deployment logic
  • Security awareness training platforms or malware detonation sandboxes that run commodity malware samples as part of controlled exercises — these will trigger all four detection categories simultaneously and at high frequency from known sandbox hostnames
Download portable Sigma rule (.yml)

Other platforms for T1497

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI thermal zone temperature check for VM detection

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'MSAcpi_ThermalZoneTemperature'. WMI trace log entry in Microsoft-Windows-WMI-Activity/Operational.

  2. Test 2Registry check for VMware artifacts

    Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe, CommandLine containing 'VMware' and 'VBoxGuest'. Sysmon Event ID 13: RegistryEvent for key access.

  3. Test 3Process enumeration for analysis tools

    Expected signal: Sysmon Event ID 1: Multiple Process Create events for tasklist.exe with filter arguments. Each tasklist invocation generates a separate process event.

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1497.001System ChecksT1497.002User Activity Based ChecksT1497.003Time Based ChecksT1082System Information DiscoveryT1012Query RegistryT1057Process DiscoveryT1047Windows Management Instrumentation

Same Tactic: Defense Evasion

Popular Detections