Skip to content
Atomic Red Team
atomics
T1497.001

T1497.001 - Virtualization/Sandbox Evasion: System Checks

Description from ATT&CK (opens in a new tab)

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion (opens in a new tab) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)

Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation (opens in a new tab), PowerShell (opens in a new tab), System Information Discovery (opens in a new tab), and Query Registry (opens in a new tab) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.

Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed, malware may also use File and Directory Discovery (opens in a new tab) to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such as malware, sample, or hash.

Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.

Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)

Atomic Tests


Atomic Test #1 - Detect Virtualization Environment (Linux)

systemd-detect-virt detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected.

Supported Platforms: Linux

auto_generated_guid: dfbd1a21-540d-4574-9731-e852bd6fe840

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

if (systemd-detect-virt) then echo "Virtualization Environment detected"; fi;
if (sudo dmidecode | egrep -i 'manufacturer|product|vendor' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo "Virtualization Environment detected"; fi;


Atomic Test #2 - Detect Virtualization Environment (FreeBSD)

Detects execution in a virtualized environment. At boot, dmesg stores a log if a hypervisor is detected.

Supported Platforms: Linux

auto_generated_guid: e129d73b-3e03-4ae9-bf1e-67fc8921e0fd

Attack Commands: Run with sh! Elevation Required (e.g. root or admin)

if [ "$(sysctl -n hw.hv_vendor)" != "" ]; then echo "Virtualization Environment detected"; fi


Atomic Test #3 - Detect Virtualization Environment (Windows)

Windows Management Instrumentation(WMI) objects contains system information which helps to detect virtualization. This command will specifically attempt to get the CurrentTemperature value from this object and will check to see if the attempt results in an error that contains the word supported. This is meant to find the result of Not supported, which is the result if run in a virtual machine

Supported Platforms: Windows

auto_generated_guid: 502a7dc4-9d6f-4d28-abf2-f0e84692562d

Attack Commands: Run with powershell!

$error.clear()
Get-WmiObject -Query "SELECT * FROM MSAcpi_ThermalZoneTemperature" -ErrorAction SilentlyContinue
if($error) {echo "Virtualization Environment detected"}

Cleanup Commands:

$error.clear()


Atomic Test #4 - Detect Virtualization Environment via ioreg

ioreg contains registry entries for all the device drivers in the system. If it's a virtual machine, one of the device manufacturer will be a Virtualization Software.

Supported Platforms: macOS

auto_generated_guid: a960185f-aef6-4547-8350-d1ce16680d09

Attack Commands: Run with sh!

if (ioreg -l | grep -e Manufacturer -e 'Vendor Name' | grep -iE 'Oracle|VirtualBox|VMWare|Parallels') then echo 'Virtualization Environment detected'; fi;


Atomic Test #5 - Detect Virtualization Environment via WMI Manufacturer/Model Listing (Windows)

Windows Management Instrumentation(WMI) objects contain system information which helps to detect virtualization. This test will get the model and manufacturer of the machine to determine if it is a virtual machine, such as through VMware or VirtualBox.

Supported Platforms: Windows

auto_generated_guid: 4a41089a-48e0-47aa-82cb-5b81a463bc78

Attack Commands: Run with powershell!

$Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Manufacturer"
$Model = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Model"
if((($Manufacturer.ToLower() -eq "microsoft corporation") -and ($Model.ToLower().contains("virtual"))) -or ($Manufacturer.ToLower().contains("vmware")) -or ($Model.ToLower() -eq "virtualbox")) {write-host "Virtualization environment detected!"} else {write-host "No virtualization environment detected!"}


Atomic Test #6 - Detect Virtualization Environment using sysctl (hw.model)

sysctl hw.model will return the model name of the hardware(Macmini8,1, MacBookAir10,1, etc.) in case of native Apple hardware but will return the hypervisor name (VMware7,0). Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#hardware-model (opens in a new tab)

Supported Platforms: macOS

auto_generated_guid: 6beae646-eb4c-4730-95be-691a4094408c

Attack Commands: Run with sh!

if [ "$(sysctl -n hw.model | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;


Atomic Test #7 - Check if System Integrity Protection is enabled

The latest versions of macOS have the System Integrity Protection feature (SIP). If a sandbox uses a non-signed kernel extension for monitoring purposes the, SIP feature must be disabled to load this kind of kernel extension. Malware may check if the SIP is enabled. Reference: https://evasions.checkpoint.com/src/MacOS/macos.html#sip (opens in a new tab)

Supported Platforms: macOS

auto_generated_guid: 2b73cd9b-b2fb-4357-b9d7-c73c41d9e945

Attack Commands: Run with sh!

if [ "$(csrutil status | grep -v 'enabled')" != "" ]; then echo 'Possible Virtualization Environment detected'; fi;


Atomic Test #8 - Detect Virtualization Environment using system_profiler

system_profiler provides system hardware and software configuration and the Model Identifier should provide the value similar to (sysctl -n hw.model). We should be able to find whether virtualization is enabled by checking whether the Model Identifier does not contain "Mac".

Supported Platforms: macOS

auto_generated_guid: e04d2e89-de15-4d90-92f9-a335c7337f0f

Attack Commands: Run with sh!

if [ "$(system_profiler SPHardwareDataType | grep "Model Identifier" | grep -v 'Mac')" != "" ]; then echo 'Virtualization Environment detected'; fi;

T1496T1497.003