DET0046: Detection Strategy for T1497 Virtualization/Sandbox Evasion
This detection strategy points to ATT&CK technique T1497, where adversary tooling checks whether it is running in a virtual machine, sandbox, or analysis e...
Analyst context for executives and security teams
This detection strategy points to ATT&CK technique T1497, where adversary tooling checks whether it is running in a virtual machine, sandbox, or analysis environment and may hide or change behavior if it detects one. For leaders, the practical issue is not just malware analysis evasion; it is whether the SOC and IR teams can recognize when suspicious software is trying to avoid scrutiny, because that can delay containment and reduce confidence in automated detonation results.
Executive priority
Prioritize this as a validation question for SOC and incident response readiness: do investigations rely too heavily on sandbox output, and can teams identify evasion behavior on real endpoints across Windows, macOS, and Linux environments? This matters for business continuity because evasive malware can reduce early warning, complicate triage, and create gaps in evidence used for incident decisions, audit reporting, and control assurance.
Technical view
The supplied ATT&CK object has no official detection text and no platforms of its own, but it detects T1497 Virtualization/Sandbox Evasion, which is associated with stealth and discovery on Linux, macOS, and Windows. Detection engineering should therefore validate visibility into behaviors that indicate environmental discovery or analysis-evasion logic, and should correlate those signals with suspicious process, file, and execution context rather than treating sandbox non-detonation as benign evidence.
Likely telemetry
- Endpoint process creation and command-line telemetry
- Operating system discovery activity related to host, hardware, virtualization, or environment artifacts
- File, registry, configuration, or system metadata queries that may reveal analysis or virtualized environments
- Sandbox and malware detonation logs, including samples that terminate early or change behavior
- EDR alerts and investigation timelines from Windows, macOS, and Linux endpoints where available
Detection direction
- Validate whether sandbox results are supplemented with endpoint telemetry from real systems; evasive behavior can make detonation-only conclusions unreliable.
- Look for suspicious environmental discovery patterns in context, especially when followed by process exit, delayed execution, reduced functionality, or failure to drop additional payloads.
- Tune detections to avoid over-alerting on legitimate virtualization-aware software, administrative tools, asset inventory, QA tooling, and security products.
- Use the relationship to T1497 as the analytic anchor: coverage should map to virtualization or sandbox checks used for stealth or discovery, not generic discovery alone.
- Document platform-specific visibility gaps for Linux, macOS, and Windows because the detection strategy object itself does not provide implementation guidance.
Mitigation priorities
- Reduce dependence on a single analysis method by combining sandbox analysis, endpoint telemetry, and incident responder review.
- Ensure EDR or equivalent endpoint logging is enabled and retained for the operating systems in scope: Windows, macOS, and Linux where applicable.
- Create investigation playbooks that treat early termination or behavior suppression in sandboxes as inconclusive rather than benign.
- Use threat-informed testing to verify whether existing SOC content can surface virtualization or sandbox-evasion indicators without excessive false positives.
- Maintain evidence of telemetry coverage and analytic assumptions for compliance and post-incident review.
Analyst notes and limits
This object is a MITRE detection strategy for DET0046 and is linked to T1497 Virtualization/Sandbox Evasion. The ATT&CK fields supplied do not include an official description or official detection logic for the detection strategy itself, so this take is framed around the related technique, its stated tactics of stealth and discovery, and its related platforms.
No active exploitation, attribution, procedure examples, data sources, mitigations, or official detection analytics were supplied. Local environment baselines are required to determine which virtualization-aware behaviors are normal, suspicious, or covered by existing tools.
Detection Strategy for T1497 Virtualization/Sandbox Evasion
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1497 | Virtualization/Sandbox Evasion | This object detects Virtualization/Sandbox Evasion. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2a1a607531f1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0046Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.