title: Virtualization/Sandbox Evasion (T1497)
id: df00tech-t1497
status: experimental
description: "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Methods include checking for security monitoring tools, system artifacts associated with virtualization, legitimate user activity patterns, and time-based anomalies."
references:
  - https://attack.mitre.org/techniques/T1497/
  - https://df00tech.com/detections/T1497
author: df00tech
date: 2026/04/14
tags:
  - attack.t1497
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - System administrators running WMI queries for hardware inventory and asset management
  - "IT automation tools (SCCM, Intune, ManageEngine) collecting system hardware information via WMI"
  - Security teams running sandbox detection tests as part of adversary emulation exercises
  - System monitoring software that queries hardware sensors for health dashboards
level: medium