Description
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on an embedded image to activate.(Citation: FireEye FIN7 April 2017)
Platforms
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) has used malware that repeatedly checks the mouse cursor position to determine if a real user is on... |
| G0046 | FIN7 | [FIN7](https://attack.mitre.org/groups/G0046) used images embedded into document lures that only activate the payload when a user double clicks to avo... |
Associated Software (5)
| ID | Name | Type | Context |
|---|---|---|---|
| S0439 | Okrum | Malware | [Okrum](https://attack.mitre.org/software/S0439) loader only executes the payload after the left mouse button has been pressed at least three times, i... |
| S1239 | TONESHELL | Malware | [TONESHELL](https://attack.mitre.org/software/S1239) has leveraged `GetForegroundWindow` to detect virtualization or sandboxes by calling the API twic... |
| S0543 | Spark | Malware | [Spark](https://attack.mitre.org/software/S0543) has used a splash screen to check whether an user actively clicks on the screen before running malici... |
| S9026 | ROAMINGHOUSE | Malware | [ROAMINGHOUSE](https://attack.mitre.org/software/S9026) can check for specific mouse movements and user activity before initiating malicious activity.... |
| S0154 | Cobalt Strike | Malware | The [Cobalt Strike](https://attack.mitre.org/software/S0154) loader can use the `MessageBoxA` API to prompt for user interaction as an anti-sandbox me... |
References
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
- Keragala, D. (2016, January 16). Detecting Malware and Sandbox Evasion Techniques. Retrieved April 17, 2019.
- Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved September 13, 2024.
Frequently Asked Questions
What is T1497.002 (User Activity Based Checks)?
T1497.002 is a MITRE ATT&CK technique named 'User Activity Based Checks'. It belongs to the Stealth, Discovery tactic(s). Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of...
How can T1497.002 be detected?
Detection of T1497.002 (User Activity Based Checks) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1497.002?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1497.002?
Known threat groups using T1497.002 include: Darkhotel, FIN7.