1. Home
  2. Techniques
  3. Enterprise
  4. Virtualization/Sandbox Evasion
  5. User Activity Based Checks

Virtualization/Sandbox Evasion: User Activity Based Checks

ID Name
T1497.001 System Checks
T1497.002 User Activity Based Checks
T1497.003 Time Based Checks

Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.[1]

Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks [2] , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro [3] or waiting for a user to double click on an embedded image to activate.[4]

ID: T1497.002
Sub-technique of:  T1497
Tactics: Defense Evasion, Discovery
Platforms: Linux, Windows, macOS
Contributors: Deloitte Threat Library Team
Version: 1.2
Created: 06 March 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
G0012 Darkhotel

Darkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.[5]
G0046 FIN7

FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.[4]
S0439 Okrum

Okrum loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments.[6]

S0543 Spark

Spark has used a splash screen to check whether an user actively clicks on the screen before running malicious code.[7]

S1239 TONESHELL

TONESHELL has leveraged GetForegroundWindow to detect virtualization or sandboxes by calling the API twice and comparing each window handle.[8]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0420 Detect User Activity Based Sandbox Evasion via Input & Artifact Probing AN1182

Process execution that probes user activity artifacts (e.g., desktop files, registry history) following recent user login/unlock events.
AN1183

Access to shell history or GUI input state (xdotool, xinput) for presence validation prior to payload execution.
AN1184

API usage or filesystem access revealing user state or browser artifacts (e.g., Safari bookmarks, CGEventState).

References

  1. Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved September 13, 2024.
  2. Keragala, D. (2016, January 16). Detecting Malware and Sandbox Evasion Techniques. Retrieved April 17, 2019.
  3. Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019.
  4. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  1. Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021.
  2. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  3. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
  4. Nick Dai, Vickie Su, Sunny Lu. (2022, November 18). Earth Preta Spear-Phishing Governments Worldwide. Retrieved August 4, 2025.