DET0168 Virtualization/Sandbox Evasion via System Checks across Windows, Linux, macOS
| Item |
Value |
| ID |
DET0168 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1497.001 (System Checks)
Analytics
Windows
AN0478
Script or binary performs a rapid sequence of system discovery checks (e.g., CPU count, RAM size, registry keys, running processes) indicative of VM detection
Log Sources
Mutable Elements
| Field |
Description |
| TimeWindow |
Sequence of system enumeration events within X seconds |
| ProcessAncestry |
Parent-child lineage to identify potentially suspicious launch sources (e.g., Office, browser, WMI, PowerShell) |
| UserContext |
Limit to non-admin or interactive sessions if desired |
Linux
AN0479
Shell script or binary uses multiple system commands (e.g., dmidecode, lscpu, lspci) in quick succession to detect virtualization environment
Log Sources
| Data Component |
Name |
Channel |
| Process Creation (DC0032) |
auditd:SYSCALL |
execve of system tools like dmidecode, lspci, lscpu, dmesg, systemd-detect-virt |
Mutable Elements
| Field |
Description |
| TimeWindow |
Burst of system info commands within X seconds |
| CommandPattern |
Regex or substring matching virtualization artifact checks |
macOS
AN0480
Bash, Swift, or Objective-C programs enumerate system profile, I/O registry, or inspect kernel extensions to identify VM artifacts
Log Sources
| Data Component |
Name |
Channel |
| Process Creation (DC0032) |
macos:unifiedlog |
exec or spawn of ‘system_profiler’, ‘ioreg’, ‘kextstat’, ‘sysctl’, or calls to sysctl API |
Mutable Elements
| Field |
Description |
| ExecutionBurst |
Threshold of sequential system checks or tools used in a short time |
| ToolName |
Specific tools used for querying device and system metadata |