Skip to content

DET0420 Detect User Activity Based Sandbox Evasion via Input & Artifact Probing

Item Value
ID DET0420
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1497.002 (User Activity Based Checks)

Analytics

Windows

AN1182

Process execution that probes user activity artifacts (e.g., desktop files, registry history) following recent user login/unlock events.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Logon Session Metadata (DC0088) WinEventLog:Security EventCode=4800, 4801
Mutable Elements
Field Description
TimeWindow Window between user unlock and access to user history
UserContext Focus on non-system accounts doing user activity probing

Linux

AN1183

Access to shell history or GUI input state (xdotool, xinput) for presence validation prior to payload execution.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL Reads of ~/.bash_history, ~/.mozilla, or access to /dev/input
Command Execution (DC0064) auditd:SYSCALL Execution of xev, xdotool, or input activity emulators
Mutable Elements
Field Description
ArtifactCountThreshold Number of distinct user files accessed before trigger
KnownToolSignatures Suppress expected automation tools

macOS

AN1184

API usage or filesystem access revealing user state or browser artifacts (e.g., Safari bookmarks, CGEventState).

Log Sources
Data Component Name Channel
OS API Execution (DC0021) macos:unifiedlog Execution of input detection APIs (e.g., CGEventSourceKeyState)
File Access (DC0055) macos:unifiedlog Access to ~/Library/Safari/Bookmarks.plist or recent files
Mutable Elements
Field Description
TimeWindow Temporal correlation between login and file access
UserContext Exclude expected UI activity from login agents