npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
NIST CSF 2.0
Overview
Sandbox evasion (MITRE ATT&CK T1497) allows malware to detect analysis environments and alter behavior to avoid detection. This skill analyzes behavioral reports from Cuckoo Sandbox and AnyRun for evasion indicators including timing-based checks (GetTickCount, QueryPerformanceCounter, sleep inflation), VM artifact detection (registry keys, MAC address prefixes, process names like vmtoolsd.exe), user interaction checks (mouse movement, keyboard input), and environment fingerprinting (disk size, CPU count, RAM). Detection rules flag samples exhibiting these behaviors for deeper manual analysis.
When to Use
- When investigating security incidents that require analyzing malware sandbox evasion techniques
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Cuckoo Sandbox 2.0+ or AnyRun account for behavioral analysis reports
- Python 3.8+ with json library for report parsing
- Behavioral report exports in JSON format
Steps
- Parse Cuckoo/AnyRun behavioral report JSON files
- Extract API call sequences for timing-related functions
- Identify VM artifact detection via registry queries and WMI calls
- Detect sleep inflation by comparing requested vs actual sleep durations
- Flag user interaction checks (GetCursorPos, GetAsyncKeyState patterns)
- Score evasion sophistication based on technique count and diversity
- Map detected techniques to MITRE ATT&CK T1497 sub-techniques
Expected Output
JSON report listing detected evasion techniques with MITRE ATT&CK mapping, API call evidence, evasion sophistication score, and classification of evasion categories (timing, VM detection, user interaction, environment fingerprinting).
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md2.0 KB
Malware Sandbox Evasion Techniques API Reference
MITRE ATT&CK T1497 Sub-techniques
| Sub-technique | ID | Evasion Method |
|---|---|---|
| System Checks | T1497.001 | VM artifacts, registry keys, MAC prefixes, process names |
| User Activity Based Checks | T1497.002 | Mouse movement, keyboard input, foreground window |
| Time Based Evasion | T1497.003 | GetTickCount, sleep inflation, RDTSC timing |
Cuckoo Sandbox Report JSON Structure
API Call Format
{
"behavior": {
"processes": [
{
"process_name": "malware.exe",
"pid": 1234,
"calls": [
{
"api": "GetTickCount",
"category": "system",
"arguments": {},
"return": "123456789"
}
]
}
]
}
}Timing API Indicators
| API | Purpose | Evasion Use |
|---|---|---|
| GetTickCount / GetTickCount64 | System uptime in ms | Check if uptime < 20min (sandbox) |
| QueryPerformanceCounter | High-res timer | Measure sleep accuracy |
| GetSystemTimeAsFileTime | System time | Detect time acceleration |
| NtQuerySystemTime | Kernel time query | Compare with user-mode time |
| RDTSC | CPU timestamp counter | Detect VM overhead in timing |
VM Artifact Indicators
Registry Keys
HKLM\SOFTWARE\VMware, Inc.\VMware Tools
HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
HKLM\HARDWARE\ACPI\DSDT\VBOX__
HKLM\SYSTEM\CurrentControlSet\Services\VBoxGuestVM Process Names
vmtoolsd.exe, vmwaretray.exe # VMware
vboxservice.exe, vboxtray.exe # VirtualBox
qemu-ga.exe # QEMU
prl_tools.exe # ParallelsVM MAC Address Prefixes
00:0C:29 VMware
00:50:56 VMware
08:00:27 VirtualBox
00:1C:42 Parallels
52:54:00 QEMU/KVMAnyRun Report API
Get Report
GET https://api.any.run/v1/analysis/{task_id}
Authorization: API-Key <key>CLI Usage
python agent.py --report cuckoo_report.json --output evasion_report.json
python agent.py --report report.json --min-sleep-ms 30000Scripts 1
agent.py7.9 KB
#!/usr/bin/env python3
"""Analyze malware sandbox evasion techniques from Cuckoo/AnyRun behavioral reports."""
import json
import argparse
from datetime import datetime
TIMING_APIS = {
"GetTickCount", "GetTickCount64", "QueryPerformanceCounter",
"QueryPerformanceFrequency", "GetSystemTimeAsFileTime", "NtQuerySystemTime",
"timeGetTime", "GetLocalTime", "GetSystemTime",
}
SLEEP_APIS = {"Sleep", "SleepEx", "NtDelayExecution", "WaitForSingleObject"}
VM_REGISTRY_KEYS = [
"HKLM\\SOFTWARE\\VMware", "HKLM\\SOFTWARE\\Oracle\\VirtualBox",
"HKLM\\HARDWARE\\ACPI\\DSDT\\VBOX", "HKLM\\SYSTEM\\CurrentControlSet\\Services\\VBoxGuest",
"HKLM\\SOFTWARE\\Microsoft\\Virtual Machine\\Guest\\Parameters",
"HKLM\\HARDWARE\\Description\\System\\SystemBiosVersion",
]
VM_PROCESSES = {
"vmtoolsd.exe", "vmwaretray.exe", "vboxservice.exe", "vboxtray.exe",
"qemu-ga.exe", "vmusrvc.exe", "prl_tools.exe", "xenservice.exe",
"windanr.exe", "vdagent.exe",
}
VM_MAC_PREFIXES = ["00:0C:29", "00:50:56", "08:00:27", "00:1C:42", "00:16:3E", "52:54:00"]
USER_INTERACTION_APIS = {
"GetCursorPos", "GetAsyncKeyState", "GetForegroundWindow",
"GetLastInputInfo", "mouse_event", "keybd_event",
}
WMI_EVASION_QUERIES = [
"Win32_ComputerSystem", "Win32_BIOS", "Win32_DiskDrive",
"Win32_PhysicalMemory", "Win32_Processor",
]
def parse_cuckoo_report(filepath):
"""Parse a Cuckoo Sandbox behavioral report JSON."""
with open(filepath) as f:
report = json.load(f)
behavior = report.get("behavior", {})
api_calls = []
for process in behavior.get("processes", []):
for call in process.get("calls", []):
api_calls.append({
"api": call.get("api", ""),
"category": call.get("category", ""),
"arguments": call.get("arguments", {}),
"return": call.get("return", ""),
"process_name": process.get("process_name", ""),
"pid": process.get("pid", 0),
})
return api_calls, report
def detect_timing_checks(api_calls):
"""Detect timing-based sandbox evasion via GetTickCount, QPC, etc."""
findings = []
timing_count = 0
for call in api_calls:
if call["api"] in TIMING_APIS:
timing_count += 1
if timing_count >= 3:
findings.append({
"technique": "Timing-Based Evasion",
"mitre_id": "T1497.003",
"api_count": timing_count,
"apis_used": list({c["api"] for c in api_calls if c["api"] in TIMING_APIS}),
"severity": "high",
"description": f"{timing_count} timing API calls detected; malware may be measuring execution time to detect sandbox acceleration",
})
return findings
def detect_sleep_inflation(api_calls, min_sleep_ms=60000):
"""Detect sleep calls with long durations used to evade sandbox time limits."""
findings = []
for call in api_calls:
if call["api"] not in SLEEP_APIS:
continue
ms = 0
args = call.get("arguments", {})
if isinstance(args, dict):
ms = int(args.get("Milliseconds", args.get("milliseconds", 0)))
elif isinstance(args, list):
for a in args:
if isinstance(a, dict) and a.get("name", "").lower() == "milliseconds":
ms = int(a.get("value", 0))
if ms >= min_sleep_ms:
findings.append({
"technique": "Sleep Inflation",
"mitre_id": "T1497.003",
"api": call["api"],
"sleep_ms": ms,
"sleep_seconds": ms / 1000,
"process": call["process_name"],
"severity": "high",
"description": f"Sleep call of {ms / 1000:.0f}s detected; likely delaying execution to outlast sandbox analysis window",
})
return findings
def detect_vm_artifact_checks(api_calls):
"""Detect VM artifact queries (registry, processes, MAC addresses)."""
findings = []
for call in api_calls:
args_str = json.dumps(call.get("arguments", "")).lower()
for reg_key in VM_REGISTRY_KEYS:
if reg_key.lower() in args_str:
findings.append({
"technique": "VM Registry Artifact Check",
"mitre_id": "T1497.001",
"registry_key": reg_key,
"api": call["api"],
"severity": "high",
})
break
for wmi_query in WMI_EVASION_QUERIES:
if wmi_query.lower() in args_str:
findings.append({
"technique": "WMI Environment Fingerprinting",
"mitre_id": "T1497.001",
"wmi_class": wmi_query,
"api": call["api"],
"severity": "medium",
})
break
return findings
def detect_user_interaction_checks(api_calls):
"""Detect checks for user interaction (mouse, keyboard, foreground window)."""
interaction_apis = [c for c in api_calls if c["api"] in USER_INTERACTION_APIS]
if len(interaction_apis) >= 2:
return [{
"technique": "User Interaction Detection",
"mitre_id": "T1497.002",
"api_count": len(interaction_apis),
"apis_used": list({c["api"] for c in interaction_apis}),
"severity": "medium",
"description": "Malware checks for user input to determine if running in automated sandbox",
}]
return []
def score_evasion_sophistication(all_findings):
"""Score evasion sophistication based on technique diversity."""
technique_ids = {f["mitre_id"] for f in all_findings}
categories = {f["technique"].split()[0] for f in all_findings}
score = min(len(all_findings) * 10 + len(technique_ids) * 15 + len(categories) * 10, 100)
level = "low" if score < 30 else "medium" if score < 60 else "high"
return {"score": score, "level": level, "unique_techniques": len(technique_ids), "total_indicators": len(all_findings)}
def main():
parser = argparse.ArgumentParser(description="Sandbox Evasion Technique Analyzer")
parser.add_argument("--report", required=True, help="Path to Cuckoo/AnyRun behavioral report JSON")
parser.add_argument("--min-sleep-ms", type=int, default=60000, help="Minimum sleep duration to flag (ms)")
parser.add_argument("--output", default="evasion_analysis_report.json", help="Output report path")
args = parser.parse_args()
api_calls, raw_report = parse_cuckoo_report(args.report)
print(f"[+] Parsed {len(api_calls)} API calls from behavioral report")
timing = detect_timing_checks(api_calls)
sleep = detect_sleep_inflation(api_calls, args.min_sleep_ms)
vm_checks = detect_vm_artifact_checks(api_calls)
user_checks = detect_user_interaction_checks(api_calls)
all_findings = timing + sleep + vm_checks + user_checks
sophistication = score_evasion_sophistication(all_findings)
report = {
"analysis_time": datetime.utcnow().isoformat() + "Z",
"sample_sha256": raw_report.get("target", {}).get("file", {}).get("sha256", ""),
"total_api_calls": len(api_calls),
"evasion_findings": {
"timing_checks": timing,
"sleep_inflation": sleep,
"vm_artifact_checks": vm_checks,
"user_interaction_checks": user_checks,
},
"total_indicators": len(all_findings),
"sophistication": sophistication,
"mitre_techniques": ["T1497.001", "T1497.002", "T1497.003"],
}
with open(args.output, "w") as f:
json.dump(report, f, indent=2)
print(f"[+] Timing checks: {len(timing)}")
print(f"[+] Sleep inflation: {len(sleep)}")
print(f"[+] VM artifact checks: {len(vm_checks)}")
print(f"[+] User interaction checks: {len(user_checks)}")
print(f"[+] Evasion sophistication: {sophistication['level']} ({sophistication['score']}/100)")
print(f"[+] Report saved to {args.output}")
if __name__ == "__main__":
main()