title: User Activity Based Checks (T1497.002)
id: df00tech-t1497-002
status: experimental
description: "Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This includes checking mouse movement speed/frequency, click patterns, browser history and bookmarks, number of files on the desktop or in common directories, recently opened documents, and presence of user-created files. Some malware requires specific user interaction before activating, such as waiting for a document to close, a user to double-click an embedded image, or waiting for mouse button presses. Darkhotel checks mouse cursor position repeatedly, Okrum requires three left-clicks before executing, and FIN7 used embedded images requiring double-clicks to activate."
references:
  - https://attack.mitre.org/techniques/T1497/002/
  - https://df00tech.com/detections/T1497.002
author: df00tech
date: 2026/04/14
tags:
  - attack.t1497.002
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Accessibility tools and automation software that track mouse position for user interface automation
  - RPA (Robotic Process Automation) tools like UiPath that monitor user input state
  - Custom IT scripts that count files in user directories for compliance or cleanup purposes
  - Screen recording or remote desktop software that tracks input events
level: medium