Detect Virtualization/Sandbox Evasion in Splunk
Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Methods include checking for security monitoring tools, system artifacts associated with virtualization, legitimate user activity patterns, and time-based anomalies.
MITRE ATT&CK
- Tactic
- Defense Evasion Discovery
- Technique
- T1497 Virtualization/Sandbox Evasion
- Canonical reference
- https://attack.mitre.org/techniques/T1497/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| eval CommandLine=lower(CommandLine)
| eval WMIVMCheck=if(match(CommandLine, "(msacpi_thermalzonetemperature|win32_fan|win32_computersystem.*model|win32_bios.*serialnumber|win32_baseboard)") AND match(Image, "(?i)wmic"), 1, 0)
| eval RegistryVMCheck=if(match(CommandLine, "(vmware|virtualbox|vboxguest|qemu|xen|hyper-v)") AND match(Image, "(?i)reg\.exe"), 1, 0)
| eval ProcessScan=if(match(CommandLine, "tasklist") AND match(CommandLine, "(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida|windbg|autoruns|regmon|filemon)"), 1, 0)
| eval VMToolCheck=if(match(CommandLine, "(vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga)"), 1, 0)
| eval SuspicionScore=WMIVMCheck*2 + RegistryVMCheck*2 + ProcessScan*2 + VMToolCheck
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, WMIVMCheck, RegistryVMCheck, ProcessScan, VMToolCheck, SuspicionScore
| sort - _timeDetects virtualization and sandbox evasion behavior via Sysmon process creation events. Identifies WMI-based VM detection (temperature, fan, hardware queries), registry checks for virtualization software, process enumeration for analysis tools, and checks for VM guest service processes. Each detection category is scored for prioritization.
Data Sources
Required Sourcetypes
False Positives & Tuning
- System administrators running WMI hardware inventory queries
- IT automation tools collecting hardware information
- Security teams conducting adversary emulation exercises
- Hardware monitoring software querying sensors
Other platforms for T1497
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1WMI thermal zone temperature check for VM detection
Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'MSAcpi_ThermalZoneTemperature'. WMI trace log entry in Microsoft-Windows-WMI-Activity/Operational.
- Test 2Registry check for VMware artifacts
Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe, CommandLine containing 'VMware' and 'VBoxGuest'. Sysmon Event ID 13: RegistryEvent for key access.
- Test 3Process enumeration for analysis tools
Expected signal: Sysmon Event ID 1: Multiple Process Create events for tasklist.exe with filter arguments. Each tasklist invocation generates a separate process event.
References (6)
- https://attack.mitre.org/techniques/T1497/
- https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit
- https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497/T1497.md
- https://github.com/a0rtega/pafish
Unlock Pro Content
Get the full detection package for T1497 including response playbook, investigation guide, and atomic red team tests.