🍎 LOAS

T1497

Virtualization/Sandbox Evasion

Description from ATT&CK

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)

Adversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)

Tests

Test #1 - Check memory profiler for virtualization artifacts

Checks system memory profiler output for virtualization artifacts through AppleScript's do shell script command.

set memData to do shell script "system_profiler SPMemoryDataType"
if memData contains "QEMU" or memData contains "VMware" then
  return "Virtualization artifact detected"
else
  return "No virtualization artifacts detected"
end if

Download Files

Download .scpt Download .swift Download Binary Download Application Bundle

Test #2 - Check hardware profiler for virtualization artifacts

Checks hardware profiler output for common virtual machine indicators using AppleScript.

set hardwareData to do shell script "system_profiler SPHardwareDataType"
ignoring case
  if hardwareData contains "vmware" or hardwareData contains "virtualbox" or hardwareData contains "parallels" or hardwareData contains "qemu" then
    return "Virtualization artifact detected"
  else
    return "No virtualization artifacts detected"
  end if
end ignoring

Download Files

Download .scpt Download .swift Download Binary Download Application Bundle

References

T1491.001

Defacement Internal Defacement

T1518.001

Security Software Discovery

On this page

Description from ATT&CKTestsTest #1 - Check memory profiler for virtualization artifactsTest #2 - Check hardware profiler for virtualization artifactsReferences