Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >ATTACK
  3. >Defense Evasion
  4. >ATTACK-T1497.001
ATTACK-T1497.001Active

System Checks

Statement

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)

Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.

Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed, malware may also use File and Directory Discovery to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such as malware, sample, or hash.

Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.

Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)

Location

Tactic
Defense Evasion

Technique Details

Identifier
ATTACK-T1497.001
Parent Technique
ATTACK-T1497
ATT&CK Page
View on MITRE

Tactics

Defense EvasionDiscovery

Platforms

LinuxmacOSWindows

Detection

Virtualization/Sandbox Evasion via System Checks across Windows, Linux, macOS

No cross-framework mappings available

← Back to Defense Evasion
Defense Evasion183 controls
ATTACK-T1006Direct Volume AccessATTACK-T1014RootkitATTACK-T1027Obfuscated Files or InformationATTACK-T1027.001Binary PaddingATTACK-T1027.002Software PackingATTACK-T1027.003SteganographyATTACK-T1027.004Compile After DeliveryATTACK-T1027.005Indicator Removal from ToolsATTACK-T1027.006HTML SmugglingATTACK-T1027.007Dynamic API ResolutionATTACK-T1027.008Stripped PayloadsATTACK-T1027.009Embedded PayloadsATTACK-T1027.010Command ObfuscationATTACK-T1027.011Fileless StorageATTACK-T1027.012LNK Icon SmugglingATTACK-T1027.013Encrypted/Encoded FileATTACK-T1027.014Polymorphic CodeATTACK-T1027.015CompressionATTACK-T1027.016Junk Code InsertionATTACK-T1027.017SVG SmugglingATTACK-T1036MasqueradingATTACK-T1036.001Invalid Code SignatureATTACK-T1036.002Right-to-Left OverrideATTACK-T1036.003Rename Legitimate UtilitiesATTACK-T1036.004Masquerade Task or ServiceATTACK-T1036.005Match Legitimate Resource Name or LocationATTACK-T1036.006Space after FilenameATTACK-T1036.007Double File ExtensionATTACK-T1036.008Masquerade File TypeATTACK-T1036.009Break Process TreesATTACK-T1036.010Masquerade Account NameATTACK-T1036.011Overwrite Process ArgumentsATTACK-T1036.012Browser FingerprintATTACK-T1055Process InjectionATTACK-T1055.001Dynamic-link Library InjectionATTACK-T1055.002Portable Executable InjectionATTACK-T1055.003Thread Execution HijackingATTACK-T1055.004Asynchronous Procedure CallATTACK-T1055.005Thread Local StorageATTACK-T1055.008Ptrace System CallsATTACK-T1055.009Proc MemoryATTACK-T1055.011Extra Window Memory InjectionATTACK-T1055.012Process HollowingATTACK-T1055.013Process DoppelgängingATTACK-T1055.014VDSO HijackingATTACK-T1055.015ListPlantingATTACK-T1070Indicator RemovalATTACK-T1070.001Clear Windows Event LogsATTACK-T1070.002Clear Linux or Mac System LogsATTACK-T1070.003Clear Command HistoryATTACK-T1070.004File DeletionATTACK-T1070.005Network Share Connection RemovalATTACK-T1070.006TimestompATTACK-T1070.007Clear Network Connection History and ConfigurationsATTACK-T1070.008Clear Mailbox DataATTACK-T1070.009Clear PersistenceATTACK-T1070.010Relocate MalwareATTACK-T1078Valid AccountsATTACK-T1078.001Default AccountsATTACK-T1078.002Domain AccountsATTACK-T1078.003Local AccountsATTACK-T1078.004Cloud AccountsATTACK-T1112Modify RegistryATTACK-T1127Trusted Developer Utilities Proxy ExecutionATTACK-T1127.001MSBuildATTACK-T1127.002ClickOnceATTACK-T1127.003JamPlusATTACK-T1134Access Token ManipulationATTACK-T1134.001Token Impersonation/TheftATTACK-T1134.002Create Process with TokenATTACK-T1134.003Make and Impersonate TokenATTACK-T1134.004Parent PID SpoofingATTACK-T1134.005SID-History InjectionATTACK-T1140Deobfuscate/Decode Files or InformationATTACK-T1197BITS JobsATTACK-T1202Indirect Command ExecutionATTACK-T1205Traffic SignalingATTACK-T1205.001Port KnockingATTACK-T1205.002Socket FiltersATTACK-T1207Rogue Domain ControllerATTACK-T1211Exploitation for Defense EvasionATTACK-T1216System Script Proxy ExecutionATTACK-T1216.001PubPrnATTACK-T1216.002SyncAppvPublishingServerATTACK-T1218System Binary Proxy ExecutionATTACK-T1218.001Compiled HTML FileATTACK-T1218.002Control PanelATTACK-T1218.003CMSTPATTACK-T1218.004InstallUtilATTACK-T1218.005MshtaATTACK-T1218.007MsiexecATTACK-T1218.008OdbcconfATTACK-T1218.009Regsvcs/RegasmATTACK-T1218.010Regsvr32ATTACK-T1218.011Rundll32ATTACK-T1218.012VerclsidATTACK-T1218.013MavinjectATTACK-T1218.014MMCATTACK-T1218.015Electron ApplicationsATTACK-T1220XSL Script ProcessingATTACK-T1221Template InjectionATTACK-T1222File and Directory Permissions ModificationATTACK-T1222.001Windows File and Directory Permissions ModificationATTACK-T1222.002Linux and Mac File and Directory Permissions ModificationATTACK-T1480Execution GuardrailsATTACK-T1480.001Environmental KeyingATTACK-T1480.002Mutual ExclusionATTACK-T1484Domain or Tenant Policy ModificationATTACK-T1484.001Group Policy ModificationATTACK-T1484.002Trust ModificationATTACK-T1497Virtualization/Sandbox EvasionATTACK-T1497.001System ChecksATTACK-T1497.002User Activity Based ChecksATTACK-T1497.003Time Based ChecksATTACK-T1535Unused/Unsupported Cloud RegionsATTACK-T1542Pre-OS BootATTACK-T1542.004ROMMONkitATTACK-T1542.005TFTP BootATTACK-T1548.006TCC ManipulationATTACK-T1550Use Alternate Authentication MaterialATTACK-T1550.001Application Access TokenATTACK-T1550.002Pass the HashATTACK-T1550.003Pass the TicketATTACK-T1550.004Web Session CookieATTACK-T1553Subvert Trust ControlsATTACK-T1553.001Gatekeeper BypassATTACK-T1553.002Code SigningATTACK-T1553.003SIP and Trust Provider HijackingATTACK-T1553.004Install Root CertificateATTACK-T1553.005Mark-of-the-Web BypassATTACK-T1553.006Code Signing Policy ModificationATTACK-T1562Impair DefensesATTACK-T1562.001Disable or Modify ToolsATTACK-T1562.002Disable Windows Event LoggingATTACK-T1562.003Impair Command History LoggingATTACK-T1562.004Disable or Modify System FirewallATTACK-T1562.006Indicator BlockingATTACK-T1562.007Disable or Modify Cloud FirewallATTACK-T1562.008Disable or Modify Cloud LogsATTACK-T1562.009Safe Mode BootATTACK-T1562.010Downgrade AttackATTACK-T1562.011Spoof Security AlertingATTACK-T1562.012Disable or Modify Linux Audit SystemATTACK-T1562.013Disable or Modify Network Device FirewallATTACK-T1564Hide ArtifactsATTACK-T1564.001Hidden Files and DirectoriesATTACK-T1564.002Hidden UsersATTACK-T1564.003Hidden WindowATTACK-T1564.004NTFS File AttributesATTACK-T1564.005Hidden File SystemATTACK-T1564.006Run Virtual InstanceATTACK-T1564.007VBA StompingATTACK-T1564.008Email Hiding RulesATTACK-T1564.009Resource ForkingATTACK-T1564.010Process Argument SpoofingATTACK-T1564.011Ignore Process InterruptsATTACK-T1564.012File/Path ExclusionsATTACK-T1564.013Bind MountsATTACK-T1564.014Extended AttributesATTACK-T1578Modify Cloud Compute InfrastructureATTACK-T1578.001Create SnapshotATTACK-T1578.002Create Cloud InstanceATTACK-T1578.003Delete Cloud InstanceATTACK-T1578.004Revert Cloud InstanceATTACK-T1578.005Modify Cloud Compute ConfigurationsATTACK-T1599Network Boundary BridgingATTACK-T1599.001Network Address Translation TraversalATTACK-T1600Weaken EncryptionATTACK-T1600.001Reduce Key SpaceATTACK-T1600.002Disable Crypto HardwareATTACK-T1601Modify System ImageATTACK-T1601.001Patch System ImageATTACK-T1601.002Downgrade System ImageATTACK-T1610Deploy ContainerATTACK-T1612Build Image on HostATTACK-T1620Reflective Code LoadingATTACK-T1622Debugger EvasionATTACK-T1647Plist File ModificationATTACK-T1656ImpersonationATTACK-T1666Modify Cloud Resource HierarchyATTACK-T1672Email SpoofingATTACK-T1678Delay ExecutionATTACK-T1679Selective Exclusion