T1497 Elastic Security · Elastic

Detect Virtualization/Sandbox Evasion in Elastic Security

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Methods include checking for security monitoring tools, system artifacts associated with virtualization, legitimate user activity patterns, and time-based anomalies.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Canonical reference
https://attack.mitre.org/techniques/T1497/

Elastic Detection Query

Elastic Security (Elastic)
eql 
process where event.type == "start" and (
  (process.name : "wmic.exe" and process.command_line : ("*MSAcpi_ThermalZoneTemperature*", "*Win32_Fan*", "*Win32_ComputerSystem*", "*Win32_BaseBoard*", "*Win32_BIOS*")) or
  (process.name : "reg.exe" and process.command_line : ("*VMware*", "*VirtualBox*", "*VBoxGuest*", "*QEMU*", "*VEN_15AD*", "*VEN_80EE*")) or
  (process.name : "tasklist.exe" and process.command_line : ("*wireshark*", "*procmon*", "*procexp*", "*fiddler*", "*x64dbg*", "*x32dbg*", "*ollydbg*", "*ida64*", "*idaq*", "*windbg*", "*autoruns*", "*regmon*", "*filemon*")) or
  process.name : ("vmtoolsd.exe", "vmwaretray.exe", "vboxservice.exe", "vmusrvc.exe", "vmsrvc.exe", "qemu-ga.exe", "VMwareHostOpen.exe")
)
high severity medium confidence

Detects T1497 Virtualization/Sandbox Evasion by matching process creation events using Elastic Common Schema (ECS) fields. Covers four evasion vectors: WMI queries for hardware artifacts indicative of a VM (MSAcpi_ThermalZoneTemperature, Win32_Fan, Win32_BIOS via wmic.exe), registry enumeration of known VM vendor keys (VMware, VirtualBox, QEMU vendor IDs via reg.exe), sandbox tool detection via tasklist scanning for debuggers and analysis tools, and direct execution or presence of VM guest agent processes.

Data Sources

Windows Sysmon via Elastic AgentElastic Endpoint Security

Required Tables

logs-endpoint.events.process-*logs-windows.sysmon_operational-*

False Positives & Tuning

  • IT administrators running WMIC hardware inventory queries for asset management or capacity planning — particularly Win32_ComputerSystem and Win32_BIOS queries used by SCCM/Intune baselines to classify physical vs virtual endpoints
  • VMware vSphere or VirtualBox Guest Additions services legitimately executing vmtoolsd.exe or vboxservice.exe as part of normal VM guest operation — create a suppression for known virtual machine hostnames or gold image build pipelines
  • Security engineers or QA teams running authorized penetration testing tools (x64dbg, IDA, Wireshark) alongside tasklist enumeration checks on sandboxed analyst workstations
Download portable Sigma rule (.yml)

Other platforms for T1497

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI thermal zone temperature check for VM detection

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'MSAcpi_ThermalZoneTemperature'. WMI trace log entry in Microsoft-Windows-WMI-Activity/Operational.

  2. Test 2Registry check for VMware artifacts

    Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe, CommandLine containing 'VMware' and 'VBoxGuest'. Sysmon Event ID 13: RegistryEvent for key access.

  3. Test 3Process enumeration for analysis tools

    Expected signal: Sysmon Event ID 1: Multiple Process Create events for tasklist.exe with filter arguments. Each tasklist invocation generates a separate process event.

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1497.001System ChecksT1497.002User Activity Based ChecksT1497.003Time Based ChecksT1082System Information DiscoveryT1012Query RegistryT1057Process DiscoveryT1047Windows Management Instrumentation

Same Tactic: Defense Evasion

Popular Detections