T1497 Sumo Logic CSE · Sumo

Detect Virtualization/Sandbox Evasion in Sumo Logic CSE

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Methods include checking for security monitoring tools, system artifacts associated with virtualization, legitimate user activity patterns, and time-based anomalies.

MITRE ATT&CK

Tactic
Defense Evasion Discovery
Technique
T1497 Virtualization/Sandbox Evasion
Canonical reference
https://attack.mitre.org/techniques/T1497/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*windows*sysmon* EventID=1
| parse regex "(?i)<CommandLine>(?<CommandLine>[^<]+)</CommandLine>"
| parse regex "(?i)<Image>(?<Image>[^<]+)</Image>"
| parse regex "(?i)<ParentImage>(?<ParentImage>[^<]+)</ParentImage>"
| parse regex "(?i)<User>(?<User>[^<]+)</User>"
| parse regex "(?i)<Computer>(?<Computer>[^<]+)</Computer>"
| where CommandLine matches /(?i)(msacpi_thermalzonetemperature|win32_fan|win32_computersystem|win32_bios|win32_baseboard|vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga)/
  OR (CommandLine matches /(?i)(vmware|virtualbox|vboxguest|qemu|ven_15ad|ven_80ee)/ AND Image matches /(?i)reg\.exe/)
  OR (CommandLine matches /(?i)tasklist/ AND CommandLine matches /(?i)(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida64|windbg|autoruns|regmon|filemon)/)
| if(CommandLine matches /(?i)(msacpi_thermalzonetemperature|win32_fan|win32_computersystem|win32_bios|win32_baseboard)/ AND Image matches /(?i)wmic\.exe/, 2, 0) as WMIVMCheck
| if(CommandLine matches /(?i)(vmware|virtualbox|vboxguest|qemu|ven_15ad|ven_80ee)/ AND Image matches /(?i)reg\.exe/, 2, 0) as RegistryVMCheck
| if(CommandLine matches /(?i)tasklist/ AND CommandLine matches /(?i)(wireshark|procmon|procexp|fiddler|x64dbg|x32dbg|ollydbg|ida64|windbg|autoruns|regmon|filemon)/, 2, 0) as ProcessScan
| if(CommandLine matches /(?i)(vmtoolsd|vmwaretray|vboxservice|vmusrvc|vmsrvc|qemu-ga)/, 1, 0) as VMToolCheck
| WMIVMCheck + RegistryVMCheck + ProcessScan + VMToolCheck as SuspicionScore
| fields _time, Computer, User, Image, CommandLine, ParentImage, WMIVMCheck, RegistryVMCheck, ProcessScan, VMToolCheck, SuspicionScore
| sort by -_time
high severity medium confidence

Detects T1497 Virtualization/Sandbox Evasion in Sumo Logic by parsing Sysmon XML process creation events (EventID 1) and applying a multi-indicator suspicion scoring model. Uses `parse regex` to extract structured fields from raw XML and `if()` expressions to score four evasion categories independently: WMI-based VM hardware fingerprinting, VM vendor registry key enumeration, sandbox tool enumeration via tasklist, and VM service process detection. Requires Windows Sysmon source collection with XML event format.

Data Sources

Windows Sysmon via Sumo Logic Installed Collector (Windows Event Log source, XML format)

Required Tables

_sourceCategory matching windows sysmon operational log path

False Positives & Tuning

  • Hardware monitoring agents and out-of-band management software (HPE iLO, Dell DRAC management agents) that legitimately query MSAcpi_ThermalZoneTemperature and Win32_Fan via WMI for thermal monitoring
  • Automated IT asset discovery and software license management platforms (Flexera, Snow Software) that query Win32_ComputerSystem and Win32_BIOS to differentiate physical vs virtual for license compliance reporting
  • Developer workstations running Docker Desktop, VirtualBox, or WSL2 alongside security research tools (Wireshark, x64dbg) where both VM tool processes and analysis tools are expected to coexist
Download portable Sigma rule (.yml)

Other platforms for T1497

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1WMI thermal zone temperature check for VM detection

    Expected signal: Sysmon Event ID 1: Process Create with Image=wmic.exe, CommandLine containing 'MSAcpi_ThermalZoneTemperature'. WMI trace log entry in Microsoft-Windows-WMI-Activity/Operational.

  2. Test 2Registry check for VMware artifacts

    Expected signal: Sysmon Event ID 1: Process Create with Image=reg.exe, CommandLine containing 'VMware' and 'VBoxGuest'. Sysmon Event ID 13: RegistryEvent for key access.

  3. Test 3Process enumeration for analysis tools

    Expected signal: Sysmon Event ID 1: Multiple Process Create events for tasklist.exe with filter arguments. Each tasklist invocation generates a separate process event.

Last updated: 2026-04-14 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1497 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1497.001System ChecksT1497.002User Activity Based ChecksT1497.003Time Based ChecksT1082System Information DiscoveryT1012Query RegistryT1057Process DiscoveryT1047Windows Management Instrumentation

Same Tactic: Defense Evasion

Popular Detections