Home/ATT&CK Technique/Virtualization/Sandbox Evasion
ATT&CK Technique

Virtualization/Sandbox Evasion

T1497 · stealth, discovery

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant.

They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. Adversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization.

Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.

LinuxmacOSWindows

Actors Using This

14
latin_america_brazilian_organized_cybercrimeAmavaldo
north_koreaAndariel
franceAnimal Farm
chinaAoqin Dragon
chinaAPT31
iranAPT33
iranOilRig
iranAPT35
north_koreaAPT37
north_koreaAPT38
chinaAPT40
china_state_sponsored_mandiant_canonical_microsoft_mulberry_typhoonAPT5 (UNC2630 / UNC2717 / Mulberry Typhoon)
russiaAwfulShred
private_mercenaryBahamut

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
initial-access earlier
T1659 · Content Injection ×1.71
persistence earlier
T1543.001 · Launch Agent ×1.71T1543.004 · Launch Daemon ×1.71T1542.001 · System Firmware ×1.71
privilege-escalation earlier
T1055.012 · Process Hollowing ×1.71
discovery same
T1497.001 · System Checks ×1.71T1497.003 · Time Based Checks ×1.71T1426 · System Information Discovery ×1.71
command-and-control later
T1437 · Application Layer Protocol ×1.71T1437.001 · Web Protocols ×1.71
impact later
T1488 · Disk Content Wipe ×1.71
other same
T1036.001 · Invalid Code Signature ×1.71T1218.007 · Msiexec ×1.71T1070.002 · Clear Linux or Mac System Logs ×1.71T1036.008 · Masquerade File Type ×1.71

Detection Coverage

0/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) none
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Caldera Emulation

4
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
defense-evasiondarwin, linux, windows1-min sleep
sleep 60
defense-evasionwindowsCheck Security Services
$securityServices = @(
    "msmpeng",
    "windefend",
    "mssense",
    "sense",
    "microsoft.tri.sensor",
    "microsoft.tri.sensor.updater",
    "cavp",
    "cb",
    "carbonblack",
    "carbonblackk",
    "cbcomms",
    "cbstream",
    "csfalconservice",
    "csfalconcontainer",
    "csagent",
    "csdevicecontrol",
    "csfalconservice",
    "xagt",
    "xagtnotif",
    "fe_avk",
    "fekern",
    "feelam",
    "fewscservice",
    "ekrn",
    "eguiproxy",
    "egui",
    "eamonm",
    "eelam",
    "ehdrv",
    "ekrnepfw",
    "epfwwfp",
    "ekbdflt",
    "epfw",
    "fsgk32st",
    "fswebuid",
    "fsgk32",
    "fsma32",
    "fssm32",
    "fnrb32",
    "fsaua",
    "fsorsp",
    "fsav32",
    "f-secure gatekeeper handler starter",
    "f-secure network request broker",
    "f-secure webui daemon",
    "fsma",
    "fsorspclient",
    "f-secure gatekeeper",
    "f-secure hips",
    "fsbts",
    "fsni",
    "fsvista",
    "f-secure filter",
    "f-secure recognizer",
    "fses",
defense-evasionwindowsCheck analysis environment processes
$forensicProcesses = @(
    "apimonitor-x64",
    "apimonitor-x86",
    "autopsy64",
    "autopsy",
    "autoruns64",
    "autoruns",
    "autorunsc64",
    "autorunsc",
    "binaryninja",
    "blacklight",
    "cff explorer",
    "cutter",
    "de4dot",
    "debugview",
    "diskmon",
    "dnsd",
    "dnspy",
    "dotpeek32",
    "dotpeek64",
    "dumpcap",
    "evidence center",
    "exeinfope",
    "fakedns",
    "fakenet",
    "ffdec",
    "fiddler",
    "fileinsight",
    "floss",
    "gdb",
    "hiew32demo",
    "hiew32",
    "hollows_hunter",
    "idaq64",
    "idaq",
    "idr",
    "ildasm",
    "ilspy",
    "jd-gui",
    "lordpe",
    "officemalscanner",
    "ollydbg",
    "pdfstreamdumper",
    "pe-bear",
    "pebrowse64",
    "peid",
    "pe-sieve32",
    "pe-sieve64",
    "pestudio",
    "peview",
    "ppee",
    "procdump64",
    "procdump",
    "processhacker",
    "procexp64",
    "procexp",
    "procmon",
    "prodiscoverbasic",
    "py2exedecompiler",
    "r2agent",
discoverywindowsVirtual or Real
get-wmiobject win32_computersystem | fl model
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin