Virtualization/Sandbox Evasion: Time Based Evasion

Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.

Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: Scheduled Task/Job). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled Multi-Stage Channels to avoid analysis and scrutiny.

ID: T1497.003
Sub-technique of:  T1497
Tactics: Defense Evasion, Discovery
Platforms: Linux, Windows, macOS
Data Sources: Process command-line parameters, Process monitoring
Defense Bypassed: Anti-virus, Host forensic analysis, Signature-based detection, Static File Analysis
Contributors: Deloitte Threat Library Team
Version: 1.0
Created: 06 March 2020
Last Modified: 01 July 2020

Procedure Examples

Name Description
Okrum

Okrum's loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated.[2]

Pony

Pony has delayed execution using a built-in function to avoid detection and analysis.[3]

Ursnif

Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.[1]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

Time-based evasion will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

References