ID | Name |
---|---|
T1497.001 | System Checks |
T1497.002 | User Activity Based Checks |
T1497.003 | Time Based Evasion |
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.[1]
Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.
Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.
Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.[2] In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.
Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.[3]
ID | Name | Description |
---|---|---|
S0373 | Astaroth |
Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.[4] |
S0438 | Attor |
Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions.[5] |
S0337 | BadPatch |
BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information. [6] |
S0657 | BLUELIGHT |
BLUELIGHT can check to see if the infected machine has VM tools running.[7] |
S0527 | CSPY Downloader |
CSPY Downloader can search loaded modules, PEB structure, file paths, Registry keys, and memory to determine if it is being debugged or running in a virtual environment.[8] |
G0012 | Darkhotel |
Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with |
S0354 | Denis |
Denis ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis.[11] |
S0024 | Dyre |
Dyre can detect sandbox analysis environments by inspecting the process list and Registry.[12][13] |
S0396 | EvilBunny |
EvilBunny's dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment.[14] |
G0120 | Evilnum |
Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments. [15] |
S0182 | FinFisher |
FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments.[16] |
G0101 | Frankenstein |
Frankenstein has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.[17] |
S0588 | GoldMax |
GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to |
S0531 | Grandoreiro |
Grandoreiro can detect VMWare via its I/O port and Virtual PC via the |
S0237 | GravityRAT |
GravityRAT uses WMI to check the BIOS and manufacturer information for strings like "VMWare", "Virtual", and "XEN" and another WMI request to get the current temperature of the hardware to determine if it's a virtual machine environment. [21] |
S0561 | GuLoader |
GuLoader has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call |
S0260 | InvisiMole |
InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.[23] |
S0532 | Lucifer |
Lucifer can check for specific usernames, computer names, device drivers, DLL's, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected.[24] |
S0576 | MegaCortex |
MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.[25] |
S0637 | NativeZone |
NativeZone has checked if Vmware or VirtualBox VM is running on a compromised host.[26] |
S0644 | ObliqueRAT |
ObliqueRAT can halt execution if it identifies processes belonging to virtual machine software or analysis tools.[27] |
G0049 | OilRig |
OilRig has used macros to verify if a mouse is connected to a compromised machine.[28] |
S0439 | Okrum |
Okrum's loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total.[29] |
S0264 | OopsIE |
OopsIE performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI query |
S0352 | OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has variants that check a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as |
S0626 | P8RAT |
P8RAT can check the compromised host for processes associated with VMware or VirtualBox environments.[32] |
S0013 | PlugX |
PlugX checks if VMware tools is running in the background by searching for any process named "vmtoolsd". [33] |
S0428 | PoetRAT |
PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of "License.txt" and exiting.[34] |
S0192 | Pupy |
Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine.[35] |
S0650 | QakBot |
QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.[36][37] |
S0332 | Remcos | |
S0270 | RogueRobin |
RogueRobin uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment. [39][40] |
S0240 | ROKRAT | |
S0226 | Smoke Loader |
Smoke Loader scans processes to perform anti-VM checks. [43] |
S0627 | SodaMaster |
SodaMaster can check for the presence of the Registry key |
S0559 | SUNBURST |
SUNBURST checked the domain name of the compromised host to verify it was running in a real environment.[44] |
S0242 | SynAck |
SynAck checks its directory location in an attempt to avoid launching in a sandbox.[45][46] |
S0595 | ThiefQuest |
ThiefQuest uses a function named |
S0094 | Trojan.Karagany |
Trojan.Karagany can detect commonly used and generic virtualization platforms based primarily on drivers and file paths.[47] |
S0333 | UBoatRAT |
UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine.[48] |
S0612 | WastedLocker |
WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.[49] |
S0248 | yty |
yty has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware. [50] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | OS API Execution |
Process Creation |
Virtualization/sandbox related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.