T1497 Microsoft Sentinel · KQL

Detect Virtualization/Sandbox Evasion in Microsoft Sentinel

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Methods include checking for security monitoring tools, system artifacts associated with virtualization, legitimate user activity patterns, and time-based anomalies.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Canonical reference
https://attack.mitre.org/techniques/T1497/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let VMDetectCommands = dynamic(["MSAcpi_ThermalZoneTemperature", "Win32_Fan", "Win32_ComputerSystem", "VMwareHostOpen.exe", "VBoxService", "vmtoolsd", "vmwaretray", "vboxservice", "qemu-ga", "vmusrvc", "vmsrvc"]);
let VMDetectRegistry = dynamic(["HKLM\\SOFTWARE\\VMware", "HKLM\\SOFTWARE\\Oracle\\VirtualBox", "SYSTEM\\CurrentControlSet\\Services\\VBoxGuest", "SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_15AD", "SYSTEM\\CurrentControlSet\\Enum\\PCI\\VEN_80EE"]);
let SandboxDetectTools = dynamic(["wireshark", "procmon", "procexp", "fiddler", "x64dbg", "x32dbg", "ollydbg", "ida64", "idaq", "windbg", "regmon", "filemon", "autoruns"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any (VMDetectCommands)
    or ProcessCommandLine has_any (VMDetectRegistry)
    or (FileName =~ "wmic.exe" and ProcessCommandLine has_any ("MSAcpi_ThermalZoneTemperature", "Win32_Fan", "Win32_ComputerSystem", "Win32_BaseBoard", "Win32_BIOS"))
    or (FileName =~ "reg.exe" and ProcessCommandLine has_any ("VMware", "VirtualBox", "VBoxGuest", "QEMU"))
    or (ProcessCommandLine has "tasklist" and ProcessCommandLine has_any (SandboxDetectTools))
| extend WMICheck = ProcessCommandLine has_any ("MSAcpi_ThermalZoneTemperature", "Win32_Fan", "Win32_ComputerSystem", "Win32_BIOS")
| extend RegistryCheck = ProcessCommandLine has_any ("VMware", "VirtualBox", "VBoxGuest", "QEMU") and FileName =~ "reg.exe"
| extend ProcessScan = ProcessCommandLine has "tasklist" and ProcessCommandLine has_any (SandboxDetectTools)
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         WMICheck, RegistryCheck, ProcessScan
| sort by Timestamp desc
medium severity medium confidence

Broad detection for virtualization and sandbox evasion techniques. Monitors for WMI queries targeting thermal zone temperature (VM detection), fan/hardware checks, registry queries for VMware/VirtualBox/QEMU artifacts, and process enumeration looking for analysis tools (Wireshark, ProcMon, debuggers). Covers techniques used by Agent Tesla, Bumblebee, GravityRAT, QakBot, and Raspberry Robin.

Data Sources

Process: Process CreationCommand: Command ExecutionWindows Registry: Windows Registry Key AccessMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • System administrators running WMI queries for hardware inventory and asset management
  • IT automation tools (SCCM, Intune, ManageEngine) collecting system hardware information via WMI
  • Security teams running sandbox detection tests as part of adversary emulation exercises
  • System monitoring software that queries hardware sensors for health dashboards
Download portable Sigma rule (.yml)

Other platforms for T1497

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI thermal zone temperature check for VM detection

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'MSAcpi_ThermalZoneTemperature'. WMI trace log entry in Microsoft-Windows-WMI-Activity/Operational.

  2. Test 2Registry check for VMware artifacts

    Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe, CommandLine containing 'VMware' and 'VBoxGuest'. Sysmon Event ID 13: RegistryEvent for key access.

  3. Test 3Process enumeration for analysis tools

    Expected signal: Sysmon Event ID 1: Multiple Process Create events for tasklist.exe with filter arguments. Each tasklist invocation generates a separate process event.

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1497.001System ChecksT1497.002User Activity Based ChecksT1497.003Time Based ChecksT1082System Information DiscoveryT1012Query RegistryT1057Process DiscoveryT1047Windows Management Instrumentation

Same Tactic: Defense Evasion

Popular Detections