Description
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.
Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed, malware may also use File and Directory Discovery to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such as malware, sample, or hash.
Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)
Platforms
Threat Groups (7)
| ID | Group | Context |
|---|---|---|
| G0120 | Evilnum | [Evilnum](https://attack.mitre.org/groups/G0120) has used a component called TerraLoader to check certain hardware and file information to detect sand... |
| G1017 | Volt Typhoon | [Volt Typhoon](https://attack.mitre.org/groups/G1017) has run system checks to determine if they were operating in a virtualized environment.(Citation... |
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) malware has used a series of checks to determine if it's being analyzed; checks include the length ... |
| G0090 | WIRTE | [WIRTE](https://attack.mitre.org/groups/G0090) has configured C2 servers to check location and user-agent strings for victim endpoints to prevent send... |
| G0094 | Kimsuky | [Kimsuky](https://attack.mitre.org/groups/G0094) has detected and killed virtual environments by using the PowerShell cmdlet `Get-CimInstance` that se... |
| G0049 | OilRig | [OilRig](https://attack.mitre.org/groups/G0049) has used macros to verify if a mouse is connected to a compromised machine.(Citation: Check Point APT3... |
| G0047 | Gamaredon Group | [Gamaredon Group](https://attack.mitre.org/groups/G0047) has checked existing conditions, such as geographic location, device type, or system specific... |
Associated Software (60)
| ID | Name | Type | Context |
|---|---|---|---|
| S0650 | QakBot | Malware | [QakBot](https://attack.mitre.org/software/S0650) can check the compromised host for the presence of multiple executables associated with analysis too... |
| S0354 | Denis | Malware | [Denis](https://attack.mitre.org/software/S0354) ran multiple system checks, looking for processor and register characteristics, to evade emulation an... |
| S0627 | SodaMaster | Malware | [SodaMaster](https://attack.mitre.org/software/S0627) can check for the presence of the Registry key <code>HKEY_CLASSES_ROOT\\Applications\\VMwareHost... |
| S0439 | Okrum | Malware | [Okrum](https://attack.mitre.org/software/S0439)'s loader can check the amount of physical memory and terminates itself if the host has less than 1.5 ... |
| S0260 | InvisiMole | Malware | [InvisiMole](https://attack.mitre.org/software/S0260) can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself i... |
| S0024 | Dyre | Malware | [Dyre](https://attack.mitre.org/software/S0024) can detect sandbox analysis environments by inspecting the process list and Registry.(Citation: Symant... |
| S0438 | Attor | Malware | [Attor](https://attack.mitre.org/software/S0438) can detect whether it is executed in some virtualized or emulated environment by searching for specif... |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) has the ability to search for designated file paths and Registry keys that indicate a virtualized... |
| S0182 | FinFisher | Malware | [FinFisher](https://attack.mitre.org/software/S0182) obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined ... |
| S0373 | Astaroth | Malware | [Astaroth](https://attack.mitre.org/software/S0373) can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associa... |
| S9018 | HeartCrypt | Malware | [HeartCrypt](https://attack.mitre.org/software/S9018) will attempt to load non-existent DLLs in attempt to detect sandbox creation of a dummy DLL to p... |
| S0242 | SynAck | Malware | [SynAck](https://attack.mitre.org/software/S0242) checks its directory location in an attempt to avoid launching in a sandbox.(Citation: SecureList Sy... |
| S0576 | MegaCortex | Malware | [MegaCortex](https://attack.mitre.org/software/S0576) has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.(Citati... |
| S0352 | OSX_OCEANLOTUS.D | Malware | [OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) checks a number of system parameters to see if it is being run on real hardware or in a vi... |
| S1048 | macOS.OSAMiner | Malware | [macOS.OSAMiner](https://attack.mitre.org/software/S1048) can parse the output of the native `system_profiler` tool to determine if the machine is run... |
| S0226 | Smoke Loader | Malware | [Smoke Loader](https://attack.mitre.org/software/S0226) scans processes to perform anti-VM checks. (Citation: Talos Smoke Loader July 2018) |
| S0561 | GuLoader | Malware | [GuLoader](https://attack.mitre.org/software/S0561) has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call <cod... |
| S0396 | EvilBunny | Malware | [EvilBunny](https://attack.mitre.org/software/S0396)'s dropper has checked the number of processes and the length and strings of its own file name to ... |
| S0248 | yty | Malware | [yty](https://attack.mitre.org/software/S0248) has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware. (Citation... |
| S0532 | Lucifer | Malware | [Lucifer](https://attack.mitre.org/software/S0532) can check for specific usernames, computer names, device drivers, DLL's, and virtual devices associ... |
References
- Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
- Roccia, T. (2017, January 19). Stopping Malware With a Fake Virtual Machine. Retrieved April 17, 2019.
- Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved September 13, 2024.
Frequently Asked Questions
What is T1497.001 (System Checks)?
T1497.001 is a MITRE ATT&CK technique named 'System Checks'. It belongs to the Stealth, Discovery tactic(s). Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifa...
How can T1497.001 be detected?
Detection of T1497.001 (System Checks) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1497.001?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1497.001?
Known threat groups using T1497.001 include: Evilnum, Volt Typhoon, Darkhotel, WIRTE, Kimsuky, OilRig, Gamaredon Group.