T1497 Virtualization/Sandbox Evasion Mappings

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

Adversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CVE-2020-0981 Windows 10 Version 1909 for 32-bit Systems secondary_impact T1497 Virtualization/Sandbox Evasion
CVE-2018-8489 Windows 7 primary_impact T1497 Virtualization/Sandbox Evasion
CVE-2019-0808 Windows uncategorized T1497 Virtualization/Sandbox Evasion
CVE-2012-4681 n/a uncategorized T1497 Virtualization/Sandbox Evasion
CVE-2011-3544 n/a uncategorized T1497 Virtualization/Sandbox Evasion
CVE-2015-1494 n/a uncategorized T1497 Virtualization/Sandbox Evasion
CVE-2019-9081 uncategorized T1497 Virtualization/Sandbox Evasion
action.hacking.vector.Hypervisor Hypervisor break-out attack related-to T1497 Virtualization/Sandbox Evasion
action.hacking.vector.Inter-tenant Penetration of another VM or web site on shared device or infrastructure related-to T1497 Virtualization/Sandbox Evasion
action.malware.variety.Disable controls Disable or interfere with security controls related-to T1497 Virtualization/Sandbox Evasion

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1497.001 System Checks 1
T1497.003 Time Based Evasion 1
T1497.002 User Activity Based Checks 1