T1497.002: User Activity Based Checks
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.[1]
Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks [2] , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro [3] or waiting for a user to double click on an embedded image to activate.[4]
Analyst context for executives and security teams
User Activity Based Checks matter because malware can decide whether to reveal itself based on whether a system looks like a real employee workstation. Instead of only checking for virtual machine artifacts, the behavior looks for signs such as mouse activity, browser history, files in common user folders, or required user interaction before activating. This can make sandbox results, malware detonation, and incident triage misleading if the analysis environment lacks realistic user activity.
Executive priority
Treat this as a validation issue for SOC and incident response readiness, not just a malware feature. Leaders should ask whether malware analysis, email detonation, endpoint monitoring, and IR playbooks can handle samples that remain quiet until realistic user behavior appears. The business risk is delayed detection or incomplete assessment of a suspected intrusion, especially where decisions depend on sandbox verdicts or automated analysis evidence.
Technical view
This is a Linux, macOS, and Windows sub-technique of Virtualization/Sandbox Evasion under stealth and discovery. Defenders should validate whether analysis environments and endpoint telemetry can expose attempts to inspect user activity indicators such as input behavior, browser artifacts, cache/bookmarks, desktop or home directory contents, and activation conditions tied to document closure or embedded-object interaction. ATT&CK provides no official detection text, but the relationship to DET0420 indicates a detection strategy focused on input and artifact probing. Related ATT&CK context also shows usage by Darkhotel and FIN7 and by software including Cobalt Strike, Okrum, Spark, TONESHELL, and ROAMINGHOUSE, so testing should include both commodity/adversary-emulation tooling and malware-analysis workflows where applicable.
Likely telemetry
- Endpoint process and file-system activity around user-profile, home, desktop, browser history, cache, and bookmark locations
- Process behavior and API/event evidence related to mouse movement, clicks, or other input-state checks where available
- Office/document execution telemetry, including macro activation timing and behavior after document close or user interaction
- Sandbox and malware detonation logs showing environmental checks, delayed execution, or no-action outcomes
- EDR telemetry for payload staging decisions after local discovery of user or environment artifacts
Detection direction
- Do not rely only on a clean sandbox verdict; validate whether the sandbox simulates realistic user activity and populated user artifacts.
- Tune detections for suspicious combinations of input-state checks, browser/user-profile artifact enumeration, and delayed payload behavior rather than treating any single artifact access as malicious.
- Compare behavior in automated detonation, interactive analysis, and real endpoint telemetry to identify samples that disengage in analysis environments.
- Use the DET0420 relationship as a direction to test input and artifact probing logic, while recognizing that the official ATT&CK object does not provide detailed detection analytics.
- Account for false positives from legitimate software that reads browser data, recent files, desktop contents, or input state for usability features.
Mitigation priorities
- Prioritize resilience of analysis workflows: use detonation environments with realistic user artifacts and, where appropriate, controlled interaction instead of fully sterile sandboxes.
- Ensure IR procedures require endpoint evidence review when sandbox behavior is absent, delayed, or inconsistent with the delivery context.
- Maintain endpoint visibility into user-profile and document execution behavior across Linux, macOS, and Windows where those platforms are in scope.
- For email and document-borne investigations, preserve artifacts and execution context so analysts can test activation conditions safely.
- Use threat-informed validation to confirm whether managed detection, malware analysis, and SOC triage can identify sandbox-evasion discovery before secondary payload decisions.
Analyst notes and limits
The material decision point is confidence in analysis results. This technique can cause defenders to under-estimate suspicious files if the environment lacks normal user behavior or artifacts. Relationship context supports relevance to known groups and software, but those relationships should be used for detection validation and threat-model prioritization, not as proof of current activity in any environment.
Official ATT&CK detection guidance is not provided for this object. The supplied data supports platforms, tactics, description, external references, and relationships, but not specific logs, API names, vendor detections, exploitation prevalence, or guaranteed coverage. Local telemetry, sandbox configuration, and endpoint control evidence are required to assess exposure.
User Activity Based Checks
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.[1]
Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks [2] , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro [3] or waiting for a user to double click on an embedded image to activate.[4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Related techniques
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1497 | Virtualization/Sandbox Evasion | This object subtechnique of Virtualization/Sandbox Evasion. |
Groups, software, and campaigns
G0012: Darkhotel
Darkhotel is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group's name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. Darkhotel has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.[1][2][3]
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
S0439: Okrum
S1239: TONESHELL
S0543: Spark
S9026: ROAMINGHOUSE
ROAMINGHOUSE is a dropper malware used by MirrorFace to extract and execute embedded payloads including UPPERCUT components.[1]
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 261f9fe20d73… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Deloitte Environment Awareness
Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved September 13, 2024.
Open source URL -
[2]
Sans Virtual Jan 2016
Keragala, D. (2016, January 16). Detecting Malware and Sandbox Evasion Techniques. Retrieved April 17, 2019.
Open source URL -
[3]
Unit 42 Sofacy Nov 2018
Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
Open source URL -
[4]
FireEye FIN7 April 2017
Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
Open source URL -
[5]
mitre-attack T1497.002Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.