AN0478: Analytic 0478
Script or binary performs a rapid sequence of system discovery checks (e.g., CPU count, RAM size, registry keys, running processes) indicative of VM detection
Analyst context for executives and security teams
This analytic is about spotting Windows scripts or binaries that quickly check multiple system characteristics, such as CPU count, RAM size, registry keys, and running processes, in a pattern consistent with virtual machine detection. For security leaders, the value is not simply finding “discovery” activity; it is validating whether the SOC can recognize software that may be trying to determine whether it is running in an analysis, sandbox, or virtualized environment.
Executive priority
Prioritize this as a SOC and incident response readiness question: can your team see rapid host-environment checks on Windows endpoints, and can they distinguish legitimate inventory or management activity from suspicious VM-detection-like behavior? This matters for managed detection quality, malware triage, and evidence generation during investigations. Because no ATT&CK tactic, technique relationship, or detection logic is supplied, this should be treated as a coverage-validation item rather than a standalone high-confidence risk indicator.
Technical view
On Windows, validate whether endpoint telemetry can show a short time-window sequence of system discovery checks by the same process, script host, or binary. The supplied analytic examples include CPU count, RAM size, registry key inspection, and running process enumeration. Detection engineering should focus on correlation across multiple discovery signals rather than a single command or API-like behavior, since individual checks can be common in benign software, inventory tooling, installers, and administrative scripts.
Likely telemetry
- Windows process creation and command-line telemetry
- Script execution telemetry where available
- Registry access or registry query telemetry
- Process enumeration or process listing activity
- Endpoint detection and response behavioral events
Detection direction
- Validate correlation logic that groups multiple system discovery checks by process, user, host, and short time window.
- Tune for known benign software inventory, endpoint management, installers, diagnostics, and administrative scripts that legitimately query CPU, memory, registry, or process state.
- Review parent process context, script host usage, unsigned or unusual binaries, and execution from uncommon paths where local telemetry supports it.
- Do not rely on any single discovery check as suspicious by itself; the supplied analytic is specifically about a rapid sequence of checks.
- Because no official detection logic is provided, require local testing against representative Windows administrative and enterprise software activity before alert promotion.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage can capture process, script, registry, and process-enumeration evidence needed for this analytic.
- Maintain allowlists or suppression logic for approved inventory, monitoring, deployment, and diagnostic tools after validation.
- Use incident response playbooks to triage alerts by process lineage, user context, execution location, and whether related suspicious behavior is present.
- Include this behavior in detection coverage reviews for sandbox-evasion or environment-awareness patterns, while avoiding claims that the behavior alone proves malicious activity.
Analyst notes and limits
ATT&CK provides this as detection analytic AN0478 for Windows. The official description identifies rapid system discovery checks indicative of VM detection, but no official detection implementation, tactic mapping, technique relationship, or related object context was supplied. Treat this as a behavioral analytic concept requiring local telemetry design and tuning.
The source data is sparse: no official detection text, no tactics, no relationships, no procedure examples, and no mitigation mappings were supplied. This take cannot assert active exploitation, attribution, impact, or guaranteed detection coverage. Local environment baselining is required to determine alert fidelity.
Analytic 0478
Script or binary performs a rapid sequence of system discovery checks (e.g., CPU count, RAM size, registry keys, running processes) indicative of VM detection
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 346c7e515b31… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0478Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.