Esc

Virtualization/Sandbox Evasion - T1497

(ATT&CK® Technique)

Subtechniques

Definition

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1497["Virtualization/Sandbox Evasion"] --> |may-invoke| GetSystemTime["Get System Time"]; class T1497 OffensiveTechniqueNode;
        class GetSystemTime ArtifactNode; click GetSystemTime href "/dao/artifact/d3f:GetSystemTime";
        click T1497 href "/offensive-technique/attack/T1497/"; click GetSystemTime href "/dao/artifact/d3f:GetSystemTime"; T1497["Virtualization/Sandbox Evasion"] --> |may-run| SystemTimeApplication["System Time Application"]; class T1497 OffensiveTechniqueNode;
        class SystemTimeApplication ArtifactNode; click SystemTimeApplication href "/dao/artifact/d3f:SystemTimeApplication";
        click T1497 href "/offensive-technique/attack/T1497/"; click SystemTimeApplication href "/dao/artifact/d3f:SystemTimeApplication";                          SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | GetSystemTime["Get System Time"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | may-detect | T1497["Virtualization/Sandbox Evasion"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class GetSystemTime ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SoftwareUpdate["Software Update"] -->
          | updates | SystemTimeApplication["System Time Application"];

          SoftwareUpdate["Software Update"] -.->
            | may-harden | T1497["Virtualization/Sandbox Evasion"] ;
          class SoftwareUpdate DefensiveTechniqueNode;
          class SystemTimeApplication ArtifactNode;
          click SoftwareUpdate href "/technique/d3f:SoftwareUpdate";                           SystemCallFiltering["System Call Filtering"] -->
          | filters | GetSystemTime["Get System Time"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1497["Virtualization/Sandbox Evasion"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class GetSystemTime ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";                                RestoreSoftware["Restore Software"] -->
          | restores | SystemTimeApplication["System Time Application"];

          RestoreSoftware["Restore Software"] -.->
            | may-restore | T1497["Virtualization/Sandbox Evasion"] ;
          class RestoreSoftware DefensiveTechniqueNode;
          class SystemTimeApplication ArtifactNode;
          click RestoreSoftware href "/technique/d3f:RestoreSoftware";

json