AN0127: Analytic 0127
Execution of discovery commands or API calls for virtualization artifacts (e.g., registry keys, device drivers, services), sleep/skipped execution behavior, or sandbox evasion DLLs before payload deployment.
Analyst context for executives and security teams
This analytic is about spotting Windows activity that checks whether a system is virtualized, sandboxed, or otherwise instrumented before a payload runs. For security leaders, the value is not just malware detection; it is evidence that an intrusion may be trying to avoid analysis, bypass SOC visibility, or delay execution until defenses are less effective.
Executive priority
Prioritize this as a validation point for incident readiness and managed detection quality. If the organization cannot see common virtualization-artifact checks, suspicious sleep or skipped-execution behavior, or sandbox-evasion DLL usage on Windows endpoints, responders may miss early warning signs before later payload deployment. It is also useful audit evidence for endpoint telemetry coverage and malware-analysis readiness, but the supplied ATT&CK object does not identify a specific tactic, actor, campaign, or impact.
Technical view
SOC and detection teams should validate Windows endpoint visibility for processes, command lines, registry access, service and driver enumeration, DLL loads, and execution timing anomalies associated with discovery of virtualization or sandbox artifacts. Because no official detection logic is provided, teams should treat AN0127 as a coverage objective rather than a ready-to-run rule. Confirm whether endpoint telemetry can distinguish normal software inventory, administration, and virtualization tooling from suspicious pre-payload environment checks.
Likely telemetry
- Windows process creation and command-line telemetry
- Registry key access or query events related to virtualization artifacts
- Service and device driver enumeration events
- DLL load telemetry, especially for sandbox-evasion-related libraries where visible
- Endpoint detection and response alerts or behavioral traces
Detection direction
- Build or validate behavioral detections around clusters of virtualization, sandbox, driver, service, and registry artifact checks before unknown or suspicious payload execution.
- Tune for false positives from legitimate virtualization platforms, enterprise inventory tools, software deployment systems, EDR components, and administrative scripts.
- Correlate environment-discovery behavior with file reputation, parent-child process lineage, unsigned or unusual binaries, and subsequent payload activity rather than alerting on a single benign-looking query.
- Identify blind spots where command-line logging, registry telemetry, DLL load visibility, or endpoint sensor coverage is incomplete on Windows systems.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage are enabled on systems where malware execution risk is material.
- Harden and monitor script and binary execution paths used by untrusted files, email attachments, downloads, and temporary directories.
- Maintain malware-analysis and sandbox processes that account for evasion and delayed execution behavior.
- Use detection engineering reviews to convert this analytic into environment-specific logic with documented assumptions, false-positive handling, and response playbooks.
Analyst notes and limits
AN0127 is a detection analytic for Windows focused on virtualization, sandbox, and evasion checks before payload deployment. Its practical value is in validating whether defenders can observe evasive pre-execution behavior, not in asserting that any single artifact is malicious.
The supplied ATT&CK fields provide no official detection logic, no tactics, no relationships, no procedures, and no mitigation mappings. Local endpoint telemetry, baseline software behavior, and incident context are required to turn this into reliable detection content.
Analytic 0127
Execution of discovery commands or API calls for virtualization artifacts (e.g., registry keys, device drivers, services), sleep/skipped execution behavior, or sandbox evasion DLLs before payload deployment.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a90823c7a6cd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0127Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.