MITRE ATT&CK Technique
Description
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness) Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on an embedded image to activate.(Citation: FireEye FIN7 April 2017)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-03-06T21:04:12.454Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may employ various user activity checks to detect '
'and avoid virtualization and analysis environments. This may '
'include changing behaviors based on the results of checks for '
'the presence of artifacts indicative of a virtual machine '
'environment (VME) or sandbox. If the adversary detects a VME, '
'they may alter their malware to disengage from the victim or '
'conceal the core functions of the implant. They may also '
'search for VME artifacts before dropping secondary or '
'additional payloads. Adversaries may use the information '
'learned from [Virtualization/Sandbox '
'Evasion](https://attack.mitre.org/techniques/T1497) during '
'automated discovery to shape follow-on behaviors.(Citation: '
'Deloitte Environment Awareness)\n'
'\n'
'Adversaries may search for user activity on the host based on '
'variables such as the speed/frequency of mouse movements and '
'clicks (Citation: Sans Virtual Jan 2016) , browser history, '
'cache, bookmarks, or number of files in common directories '
'such as home or the desktop. Other methods may rely on '
'specific user interaction with the system before the '
'malicious code is activated, such as waiting for a document '
'to close before activating a macro (Citation: Unit 42 Sofacy '
'Nov 2018) or waiting for a user to double click on an '
'embedded image to activate.(Citation: FireEye FIN7 April '
'2017) ',
'external_references': [{'external_id': 'T1497.002',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1497/002'},
{'description': 'Carr, N., et al. (2017, April 24). '
'FIN7 Evolution and the Phishing LNK. '
'Retrieved April 24, 2017.',
'source_name': 'FireEye FIN7 April 2017',
'url': 'https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html'},
{'description': 'Falcone, R., Lee, B.. (2018, '
'November 20). Sofacy Continues '
'Global Attacks and Wheels Out New '
'‘Cannon’ Trojan. Retrieved April 23, '
'2019.',
'source_name': 'Unit 42 Sofacy Nov 2018',
'url': 'https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/'},
{'description': 'Keragala, D. (2016, January 16). '
'Detecting Malware and Sandbox '
'Evasion Techniques. Retrieved April '
'17, 2019.',
'source_name': 'Sans Virtual Jan 2016',
'url': 'https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667'},
{'description': 'Torello, A. & Guibernau, F. (n.d.). '
'Environment Awareness. Retrieved '
'September 13, 2024.',
'source_name': 'Deloitte Environment Awareness',
'url': 'https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc/edit'}],
'id': 'attack-pattern--91541e7e-b969-40c6-bbd8-1b5352ec2938',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'},
{'kill_chain_name': 'mitre-attack',
'phase_name': 'discovery'}],
'modified': '2025-10-24T17:49:06.305Z',
'name': 'User Activity Based Checks',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Deloitte Threat Library Team'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'Windows', 'macOS'],
'x_mitre_version': '1.2'}