title: System Checks (T1497.001)
id: df00tech-t1497-001
status: experimental
description: "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. Checks may include WMI queries for BIOS manufacturer, system model, temperature sensors, and fan hardware; registry queries for VMware/VirtualBox/QEMU/Hyper-V keys; file system checks for VM guest tools and drivers; hardware enumeration for VM-specific PCI vendor IDs; process enumeration for analysis and monitoring tools; and CPU core count / memory / disk size validation. Malware families including GravityRAT, Lumma Stealer, Bumblebee, QakBot, DarkTortilla, and FinFisher use extensive system checks before executing their core payloads."
references:
  - https://attack.mitre.org/techniques/T1497/001/
  - https://df00tech.com/detections/T1497.001
author: df00tech
date: 2026/04/14
tags:
  - attack.t1497.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "IT asset management tools (SCCM, Intune, ManageEngine, Lansweeper) running WMI hardware inventory queries"
  - System monitoring software collecting hardware sensor data for dashboards
  - Endpoint security products performing hardware fingerprinting during enrollment
  - Developers or QA teams running system information checks in VM test environments
level: medium