Home/ATT&CK Technique/System Checks
ATT&CK Technique

System Checks

T1497.001 · stealth, discovery

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant.

They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts.

Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. Checks could include generic system properties such as host/domain name and samples of network traffic.

Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed, malware may also use File and Directory Discovery to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such as malware, sample, or hash. Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.

In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.

LinuxmacOSWindows

Actors Using This

14
franceAnimal Farm
chinaAoqin Dragon
private_mercenaryBahamut
russia_speaking_cybercrime8Base
chinaBillbug
brazilBizarro
commercial_cybercrime_uefi_bootkitBlackLotus
spainCareto / The Mask
russiaCloud Atlas
chinaDaggerfly
chinaDark Pink
russia_speaking_organized_cybercrimeDarkGate Operators
south_koreaDarkhotel
russia_aligned_destructive_operations_uncertain_sandworm_attributionDoubleZero

Likely Attack Path

Techniques the same actors pair with this one distinctively - those showing up among actors who use this technique noticeably more than across all actors (lift > 1.15), grouped by kill-chain phase. The × is that lift multiplier; the shared-actor count is in the tooltip. A near-universal technique pairs with everything at baseline, so its list is short by design.
reconnaissance earlier
T1592 · Gather Victim Host Information ×3.80
execution earlier
T1559.001 · Component Object Model ×2.99
persistence earlier
T1137.001 · Office Template Macros ×3.80T1542.001 · System Firmware ×2.89
discovery same
T1497.003 · Time Based Checks ×5.06T1016.001 · Internet Connection Discovery ×2.53
collection later
T1025 · Data from Removable Media ×2.53
other same
T1027.007 · Dynamic API Resolution ×3.80T1027.009 · Embedded Payloads ×3.62T1221 · Template Injection ×3.62T1036.008 · Masquerade File Type ×3.16T1218.010 · Regsvr32 ×3.04T1218.001 · Compiled HTML File ×3.04T1480.001 · Environmental Keying ×2.76T1027.003 · Steganography ×2.53

Atomic Tests

8
Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.
shelevatedlinuxDetect Virtualization Environment (Linux)
systemd-detect-virt detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected. 
if (systemd-detect-virt) then echo "Virtualization Environment detected"; fi;
if (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo "Virtualization Environment detected"; fi;
shelevatedlinuxDetect Virtualization Environment (FreeBSD)
Detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected. 
if [ "$(sysctl -n hw.hv_vendor)" != "" ]; then echo "Virtualization Environment detected"; fi
powershellwindowsDetect Virtualization Environment (Windows)
Windows Management Instrumentation(WMI) objects contains system information which helps to detect virtualization. This command will specifically attempt to get the CurrentTemperature value from this object and will check to see if the attempt results in an error that contains the word supported. This is meant to find the result of Not supported, which is the result if run in a virtual machine 
$error.clear()
Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue
if($error) {echo "Virtualization Environment detected"}
shmacosDetect Virtualization Environment via ioreg
ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software. 
if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo 'Virtualization Environment detected'; fi;
powershellwindowsDetect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)
Windows Management Instrumentation(WMI) objects contain system information which helps to detect virtualization. This test will get the model and manufacturer of the machine to determine if it is a virtual machine, such as through VMware or VirtualBox. 
$Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Manufacturer"
$Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Model"
if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}
shmacosDetect Virtualization Environment using sysctl (hw.model)
sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware but will return the hypervisor name (VMware7,0). Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model 
if [ "$(sysctl -n hw.model | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;
shmacosCheck if System Integrity Protection is enabled
The latest versions of macOS have the System Integrity Protection feature (SIP). If a sandbox uses a non-signed kernel extension for monitoring purposes the, SIP feature must be disabled to load this kind of kernel extension. Malware may check if the SIP is enabled. Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip 
if [ "$(csrutil status | grep -v 'enabled')" != "" ]; then echo 'Possible Virtualization Environment detected'; fi;
shmacosDetect Virtualization Environment using system_profiler
system_profiler provides system hardware and software configuration and the Model Identifier should provide the value similar to (sysctl -n hw.model). We should be able to find whether virtualization is enabled by checking whether the Model Identifier does not contain "Mac". 
if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier" | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;

Detection Coverage

1/6 layers
Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).
Behavioral / log (Sigma) 3
Analytics (MITRE CAR) none
Runtime / container (Falco) none
File / malware (YARA) none
Network (Suricata/Snort) none
Vuln scan (Nuclei) none

Caldera Emulation

3
MITRE Caldera abilities that emulate this technique - each is an executable action for automated adversary emulation.
defense-evasionwindowsCheck Security Services
$securityServices = @(
    "msmpeng",
    "windefend",
    "mssense",
    "sense",
    "microsoft.tri.sensor",
    "microsoft.tri.sensor.updater",
    "cavp",
    "cb",
    "carbonblack",
    "carbonblackk",
    "cbcomms",
    "cbstream",
    "csfalconservice",
    "csfalconcontainer",
    "csagent",
    "csdevicecontrol",
    "csfalconservice",
    "xagt",
    "xagtnotif",
    "fe_avk",
    "fekern",
    "feelam",
    "fewscservice",
    "ekrn",
    "eguiproxy",
    "egui",
    "eamonm",
    "eelam",
    "ehdrv",
    "ekrnepfw",
    "epfwwfp",
    "ekbdflt",
    "epfw",
    "fsgk32st",
    "fswebuid",
    "fsgk32",
    "fsma32",
    "fssm32",
    "fnrb32",
    "fsaua",
    "fsorsp",
    "fsav32",
    "f-secure gatekeeper handler starter",
    "f-secure network request broker",
    "f-secure webui daemon",
    "fsma",
    "fsorspclient",
    "f-secure gatekeeper",
    "f-secure hips",
    "fsbts",
    "fsni",
    "fsvista",
    "f-secure filter",
    "f-secure recognizer",
    "fses",
defense-evasionwindowsCheck analysis environment processes
$forensicProcesses = @(
    "apimonitor-x64",
    "apimonitor-x86",
    "autopsy64",
    "autopsy",
    "autoruns64",
    "autoruns",
    "autorunsc64",
    "autorunsc",
    "binaryninja",
    "blacklight",
    "cff explorer",
    "cutter",
    "de4dot",
    "debugview",
    "diskmon",
    "dnsd",
    "dnspy",
    "dotpeek32",
    "dotpeek64",
    "dumpcap",
    "evidence center",
    "exeinfope",
    "fakedns",
    "fakenet",
    "ffdec",
    "fiddler",
    "fileinsight",
    "floss",
    "gdb",
    "hiew32demo",
    "hiew32",
    "hollows_hunter",
    "idaq64",
    "idaq",
    "idr",
    "ildasm",
    "ilspy",
    "jd-gui",
    "lordpe",
    "officemalscanner",
    "ollydbg",
    "pdfstreamdumper",
    "pe-bear",
    "pebrowse64",
    "peid",
    "pe-sieve32",
    "pe-sieve64",
    "pestudio",
    "peview",
    "ppee",
    "procdump64",
    "procdump",
    "processhacker",
    "procexp64",
    "procexp",
    "procmon",
    "prodiscoverbasic",
    "py2exedecompiler",
    "r2agent",
discoverywindowsVirtual or Real
get-wmiobject win32_computersystem | fl model
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKAtomic Red Teamcar (MITRE)
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin