- Tactics
- stealth , Discovery
- Platforms
- Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1497
Description
Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
Adversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)
Sub-techniques
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the stealth, Discovery tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1006 — Direct Volume Access
- T1007 — System Service Discovery
- T1010 — Application Window Discovery
- T1012 — Query Registry
- T1014 — Rootkit
- T1016 — System Network Configuration Discovery
- T1018 — Remote System Discovery
- T1027 — Obfuscated Files or Information
- T1033 — System Owner/User Discovery
- T1036 — Masquerading
- T1040 — Network Sniffing
- T1046 — Network Service Discovery