T1497 CrowdStrike LogScale · LogScale

Detect Virtualization/Sandbox Evasion in CrowdStrike LogScale

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Methods include checking for security monitoring tools, system artifacts associated with virtualization, legitimate user activity patterns, and time-based anomalies.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Canonical reference
https://attack.mitre.org/techniques/T1497/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = "ProcessRollup2"
| CommandLine = *
| lower(CommandLine) = cmdLine
| lower(ImageFileName) = imgName
| wmiVMCheck := if(cmdLine = /(msacpi_thermalzonetemperature|win32_fan|win32_computersystem|win32_bios|win32_baseboard)/ and imgName = /wmic\.exe/, 2, 0)
| regVMCheck := if(cmdLine = /(vmware|virtualbox|vboxguest|qemu|ven_15ad|ven_80ee)/ and imgName = /reg\.exe/, 2, 0)
| procScan := if(cmdLine = /tasklist/ and cmdLine = /(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida64|idaq|windbg|autoruns|regmon|filemon)/, 2, 0)
| vmToolCheck := if(cmdLine = /(vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga)/, 1, 0)
| suspicionScore := wmiVMCheck + regVMCheck + procScan + vmToolCheck
| suspicionScore > 0
| select([timestamp, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ParentCommandLine, wmiVMCheck, regVMCheck, procScan, vmToolCheck, suspicionScore])
| sort(suspicionScore, order=desc, limit=1000)
high severity high confidence

Detects T1497 Virtualization/Sandbox Evasion using CrowdStrike Falcon LogScale (FLQL) against ProcessRollup2 events from the Falcon sensor. Applies a multi-indicator suspicion score model: WMI VM hardware queries via wmic.exe (2 pts), registry VM vendor key enumeration via reg.exe (2 pts), sandbox tool enumeration via tasklist (2 pts), and VM guest service process name detection (1 pt). Lowercase normalization via `lower()` ensures case-insensitive matching without performance overhead. Leverages Falcon's high-fidelity command line capture which is more complete than Windows native event logging for obfuscated or long command lines.

Data Sources

CrowdStrike Falcon EDR — ProcessRollup2 events via Falcon sensor telemetry

Required Tables

ProcessRollup2 events streamed via Falcon Data Replicator or Humio/LogScale Falcon connector

False Positives & Tuning

  • CrowdStrike Falcon sensor itself or competing EDR agents may internally invoke wmic.exe to query Win32_ComputerSystem for device fingerprinting — filter by ParentBaseFileName matching known security tool parent process names
  • Software installation wrappers (NSIS, InstallShield, WiX installers) that query Win32_ComputerSystem model or Win32_BIOS serial number to gate license validation or detect virtual lab environments for trial enforcement
  • Cloud VM provisioning and image baking pipelines (Packer, Terraform provisioners) that query Hyper-V and VMware registry keys to configure OS-level tuning for virtualized workloads — suppress by ComputerName prefix matching known build agent naming conventions
Download portable Sigma rule (.yml)

Other platforms for T1497

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI thermal zone temperature check for VM detection

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'MSAcpi_ThermalZoneTemperature'. WMI trace log entry in Microsoft-Windows-WMI-Activity/Operational.

  2. Test 2Registry check for VMware artifacts

    Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe, CommandLine containing 'VMware' and 'VBoxGuest'. Sysmon Event ID 13: RegistryEvent for key access.

  3. Test 3Process enumeration for analysis tools

    Expected signal: Sysmon Event ID 1: Multiple Process Create events for tasklist.exe with filter arguments. Each tasklist invocation generates a separate process event.

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1497.001System ChecksT1497.002User Activity Based ChecksT1497.003Time Based ChecksT1082System Information DiscoveryT1012Query RegistryT1057Process DiscoveryT1047Windows Management Instrumentation

Same Tactic: Defense Evasion

Popular Detections