T1497 IBM QRadar · QRadar

Detect Virtualization/Sandbox Evasion in IBM QRadar

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Methods include checking for security monitoring tools, system artifacts associated with virtualization, legitimate user activity patterns, and time-based anomalies.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Canonical reference
https://attack.mitre.org/techniques/T1497/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  sourceip AS SourceIP,
  username AS UserName,
  "Image" AS ProcessImage,
  "CommandLine" AS CommandLine,
  "ParentImage" AS ParentProcess,
  CASE WHEN LOWER("CommandLine") IMATCHES '(msacpi_thermalzonetemperature|win32_fan|win32_computersystem|win32_bios|win32_baseboard)' AND LOWER("Image") IMATCHES 'wmic\.exe' THEN 2 ELSE 0 END +
  CASE WHEN LOWER("CommandLine") IMATCHES '(vmware|virtualbox|vboxguest|qemu|ven_15ad|ven_80ee)' AND LOWER("Image") IMATCHES 'reg\.exe' THEN 2 ELSE 0 END +
  CASE WHEN LOWER("CommandLine") IMATCHES 'tasklist' AND LOWER("CommandLine") IMATCHES '(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida64|windbg|autoruns|regmon|filemon)' THEN 2 ELSE 0 END +
  CASE WHEN LOWER("CommandLine") IMATCHES '(vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga)' THEN 1 ELSE 0 END AS SuspicionScore
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Snare for Windows Sysmon')
  AND "EventID" = 1
  AND (
    LOWER("CommandLine") IMATCHES '(msacpi_thermalzonetemperature|win32_fan|win32_computersystem|win32_bios|win32_baseboard|vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga)'
    OR (LOWER("CommandLine") IMATCHES '(vmware|virtualbox|vboxguest|qemu|ven_15ad|ven_80ee)' AND LOWER("Image") IMATCHES 'reg\.exe')
    OR (LOWER("CommandLine") IMATCHES 'tasklist' AND LOWER("CommandLine") IMATCHES '(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida64|windbg|autoruns|regmon|filemon)')
  )
LAST 24 HOURS
high severity medium confidence

Detects T1497 Virtualization/Sandbox Evasion in IBM QRadar using AQL against Sysmon EventID 1 (Process Create) events. Applies a weighted suspicion score across four VM evasion categories using IMATCHES for case-insensitive regex: WMI hardware artifact queries via wmic.exe (score 2), VM registry key enumeration via reg.exe (score 2), sandbox analysis tool detection via tasklist (score 2), and direct VM guest process detection (score 1). Results include the raw process image and command line for analyst triage.

Data Sources

Windows Sysmon (EventID 1 via Snare or WinCollect)Windows Security Event Log (EventID 4688 with enhanced process auditing)

Required Tables

events

False Positives & Tuning

  • System administrators using WMIC for routine hardware diagnostics — Win32_BIOS and MSAcpi_ThermalZoneTemperature queries appear in many legitimate hardware monitoring and IPMI management workflows
  • Dedicated VM hosts running VMware ESXi guest tools or VirtualBox Guest Additions where vmtoolsd.exe and vboxservice.exe are expected resident processes — exclude by CIDR range or asset group for known hypervisor infrastructure
  • Authorized red team or penetration testing engagements that include VM evasion checks as part of scoped adversary simulation — correlate SuspicionScore spikes with change windows and approved test plans
Download portable Sigma rule (.yml)

Other platforms for T1497

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI thermal zone temperature check for VM detection

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'MSAcpi_ThermalZoneTemperature'. WMI trace log entry in Microsoft-Windows-WMI-Activity/Operational.

  2. Test 2Registry check for VMware artifacts

    Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe, CommandLine containing 'VMware' and 'VBoxGuest'. Sysmon Event ID 13: RegistryEvent for key access.

  3. Test 3Process enumeration for analysis tools

    Expected signal: Sysmon Event ID 1: Multiple Process Create events for tasklist.exe with filter arguments. Each tasklist invocation generates a separate process event.

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1497.001System ChecksT1497.002User Activity Based ChecksT1497.003Time Based ChecksT1082System Information DiscoveryT1012Query RegistryT1057Process DiscoveryT1047Windows Management Instrumentation

Same Tactic: Defense Evasion

Popular Detections