System Checks

Information

• Name: System Checks

• ID: T1497.001

• Tactics: TA0005, TA0007

• Technique: T1497

Introduction

System Checks (T1497.001) is a sub-technique under the MITRE ATT&CK framework categorized within the "Virtualization/Sandbox Evasion" tactic. Adversaries leverage this technique to detect and evade analysis environments by performing system checks to identify virtualization, sandbox environments, or other indicators of analysis. By recognizing these environments, attackers can halt malicious execution, modify behavior, or deploy decoys to mislead defenders and evade detection.

Deep Dive Into Technique

System Checks involve adversaries executing specific commands, scripts, or API calls to detect virtualization or sandbox environments. Attackers typically look for specific artifacts or environmental characteristics that indicate an analysis or testing environment.

Common execution methods and mechanisms include:

• System Information Queries:

  • On Windows:

    • Using built-in commands such as systeminfo, wmic, or querying registry keys.

    • Checking BIOS information via wmic bios get serialnumber or wmic computersystem get model.

  • On Linux:

    • Executing commands such as dmidecode, lscpu, or inspecting /sys/class/dmi/id/*.

• Hardware and Device Checks:

  • Inspecting hardware identifiers, MAC addresses, or hardware serial numbers.

  • Checking for known virtualization-related hardware identifiers (e.g., VMware, VirtualBox, Hyper-V).

• Process and Service Checks:

  • Enumerating running processes or services associated with virtualization or sandbox environments (e.g., vmtoolsd.exe, vboxservice.exe).

  • Checking for sandbox-specific processes like "Cuckoo Sandbox" or "Joe Sandbox".

• File System and Registry Checks:

  • Searching for virtualization-specific files, drivers, or registry keys.

  • Examples include registry paths such as HKLM\HARDWARE\ACPI\DSDT\VBOX__ or specific driver files like VBoxMouse.sys.

• Timing Checks:

  • Measuring execution time for certain operations to detect timing discrepancies indicative of virtualized or sandboxed environments.

Attackers may combine multiple checks to increase accuracy and reduce false positives, ensuring evasion of automated analysis tools.

When this Technique is Usually Used

Adversaries typically employ System Checks at various stages of an attack lifecycle, especially during initial compromise, execution, and persistence phases, including:

• Initial Access and Delivery:

  • Malware delivered via phishing emails or malicious downloads commonly performs system checks immediately upon execution to determine if it is in a sandbox or virtual machine before proceeding.

• Execution and Defense Evasion:

  • Malware may halt execution or alter its behavior if virtualization or sandboxing is detected, reducing the likelihood of being analyzed or detected by security tools.

• Persistence and Command & Control:

  • Advanced persistent threats (APTs) may continuously monitor their environment to detect changes or analysis attempts, allowing them to adapt or terminate their activities proactively.

• Reconnaissance and Lateral Movement:

  • Attackers may run system checks on newly compromised systems to ensure they have landed on actual targets rather than decoy or honeypot systems.

How this Technique is Usually Detected

Detection of System Checks can be achieved through multiple methods, including monitoring system activity, analyzing logs, and identifying suspicious behaviors:

• Process Monitoring and Command Execution Logs:

  • Monitor execution of commands such as systeminfo, wmic, dmidecode, and similar system enumeration tools.

  • Look for unusual or unexpected command-line arguments indicative of virtualization checks.

• Endpoint Detection and Response (EDR) Tools:

  • EDR solutions can detect suspicious API calls or system queries associated with virtualization detection.

  • Behavioral analysis modules in EDR can flag processes performing multiple environment checks in rapid succession.

• Sandbox and Virtualization Tools:

  • Specialized sandbox environments can log attempts by malware to detect virtualization or sandbox presence, providing indicators of compromise (IoCs).

• Indicators of Compromise (IoCs):

  • Suspicious registry queries or file system checks for known virtualization artifacts.

  • Strings and binaries containing keywords such as "VirtualBox", "VMware", "Hyper-V", or "QEMU".

  • Repeated execution of commands intended to detect sandbox or virtualized environments.

• Behavioral Analysis and Machine Learning:

  • ML-based security tools can detect anomalous behavior patterns related to virtualization checks, flagging potential malicious activity.

Why it is Important to Detect This Technique

Early detection of System Checks is crucial for several reasons:

• Preventing Evasion and Ensuring Analysis Accuracy:

  • Identifying attempts to detect sandbox or virtualization environments ensures malware analysis remains effective, allowing defenders to capture the true intent and capabilities of malicious software.

• Reducing Attackers' Ability to Adapt:

  • Early detection restricts attackers from adapting their techniques or halting execution, leading to better understanding of attacker methods and improved defense strategies.

• Minimizing Damage and Compromise:

  • Detecting virtualization checks early can prevent attackers from proceeding further into the attack lifecycle, thereby reducing potential damage, data loss, or system compromise.

• Enhancing Defensive Capabilities:

  • Understanding how attackers check for analysis environments allows security teams to strengthen their sandbox and virtualization environments, making them harder to detect and evade.

• Improving Threat Intelligence and Incident Response:

  • Detecting system checks provides valuable intelligence about attacker methodologies and tools, enabling faster and more effective incident response.

Examples

Real-world examples of System Checks usage include:

• TrickBot Malware:

  • TrickBot performs multiple system checks upon initial execution, querying registry keys and system information commands (systeminfo) to detect sandbox environments. If detected, it typically halts execution or significantly alters its behavior to avoid analysis.

• Emotet Malware:

  • Emotet has been observed querying BIOS information using commands like wmic bios get serialnumber and checking MAC addresses to detect common virtualization environments (e.g., VMware, VirtualBox). If virtualization is detected, Emotet terminates execution immediately.

• APT29 (Cozy Bear):

  • APT29 malware samples have included scripts that perform extensive checks for virtualization artifacts, including querying running processes, checking registry keys, and inspecting hardware identifiers. If sandbox or virtualization environments are detected, the malware may cease operations or deploy decoy payloads.

• Cobalt Strike Beacon:

  • Various threat actors using Cobalt Strike have incorporated scripts and modules that perform systematic checks for sandbox environments, including querying system uptime, checking for virtualization-related processes, and inspecting hardware identifiers. Detection results influence whether the beacon continues execution, adapts its behavior, or terminates.

• DarkSide Ransomware:

  • DarkSide ransomware performs multiple system checks to detect virtualization environments, including querying registry keys and checking running processes for sandbox analysis tools. If detected, it stops execution to evade analysis and detection.

These examples illustrate the widespread use of System Checks across diverse malware families and threat actors, emphasizing the importance of robust detection and mitigation strategies.