T1497.003: T1497.003

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 06/03/2020 22:11 · Modified 13/04/2026 17:17

Essential information

MITRE technique ID: T1497.003
Confidence: 100/100
Revoked: No
Published: 06/03/2020 22:11
Modified: 13/04/2026 17:17
Author / Source: The MITRE Corporation

Aliases

Time Based Checks

Platforms

windows macos linux

Description

Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock. Adversaries may use calls like `GetTickCount` and `GetSystemTimeAsFileTime` to discover if they are operating within a virtual machine or sandbox, or may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	discovery

Marking (TLP)

External references

mitre-attack (T1497.003)
ISACA Malware Tricks

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (20)

Hunters International uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5174 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Vect uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
SLOW#TEMPEST uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNK_CraftyCamel uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ShadyPanda uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LofyGang uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Winnti uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GlassWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 20

EvilBunny uses
Snip3 uses
HelloBot uses
FormBook uses

Family
SVCReady uses
GIFTEDCROOK uses

Family
AlienReverse uses
Vect uses

Family
Covenant Grunt uses

Family
GOSAR uses

Family
MuddyViper uses

Family
BruteRatel C4 uses

Family

← Previous

Page / 7

1–12 of 81

Analysis of Gamaredon campaign targeting Ukraine weaponizing CVE-2025-8088 related

AlienVault Confidence 100 1 CVE 10 MITREs 10 IOCs 1 APT
WebAssembly Malware Found in Trojanized Open VSX Extensions related

AlienVault Confidence 100 17 MITREs 1 Malware 12 IOCs 12 Observables 1 APT
Technical Analysis of MLTBackdoor related

AlienVault Confidence 100 19 MITREs 1 Malware 34 IOCs 34 Observables
From Fake Amazon Security Alert to HarborWatch Agent: … related

20 MITREs 1 Malware 6 Observables
From Malspam to Fileless .NET Loader related

1 CVE 20 MITREs 9 Observables
From poisoned search results to GPU mining: A … related

20 MITREs 2 Malwares 14 Observables
CloudZ RAT potentially steals OTP messages using Pheno … related

AlienVault Confidence 100 20 MITREs 2 Malwares 6 IOCs 6 Observables
LofyStealer: Malware targeting Minecraft players. related

AlienVault Confidence 100 20 MITREs 3 Malwares 3 IOCs 3 Observables 1 APT
VECT: Ransomware by design, Wiper by accident related

AlienVault Confidence 100 21 MITREs 1 Malware 8 IOCs 8 Observables 1 APT
Unmasking DPRK Cyber Threat Actors: Fake IT Worker … related

AlienVault Confidence 100 16 MITREs 3 IOCs 3 Observables 1 APT
Obfuscation Without Effort: Breaking a GIFTEDCROOK Stealer related

AlienVault Confidence 100 2 CVEs 20 MITREs 1 Malware 4 IOCs 4 Observables 1 APT
MuddyWater: Snakes by the riverbank related

7 MITREs 6 Malwares 9 Observables 1 APT

← Previous

Page / 3

1–12 of 26

Vulnerabilities (CVE) (13)

CVE-2025-6218 KEV targets

RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.

Published: 09/12/2025
Modified: 21/12/2025

CVE-2026-21509 KEV targets

7.8 High

Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could …

Attack vector: LOCAL
Published: 26/01/2026
Modified: 27/03/2026

Analyzed

CVE-2023-46604 KEV targets

10.0 Critical

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …

Attack vector: Network
Published: 02/11/2023
Modified: 21/12/2025

CVE-2021-31207 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-31969 targets

CVE-2025-2857 targets

10.0 Critical

Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process …

Attack vector: Network
Complexity: Low
Published: 27/03/2025
Modified: 13/04/2026

CWE-668 Awaiting Analysis

CVE-2024-26229 targets

CVE-2021-34473 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 29/05/2026

CVE-2024-1709 KEV targets

10.0 Critical

ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …

Attack vector: Network
Published: 22/02/2024
Modified: 28/02/2026

CVE-2021-34523 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

← Previous

Page / 2

1–12 of 13

T1497 subtechnique-of

Virtualization/Sandbox Evasion MITRE

Tool (2)

Brute Ratel C4 uses

The MITRE Corporation Confidence 100

[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…
evilginx2 uses

The MITRE Corporation Confidence 75

[evilginx2](https://attack.mitre.org/software/S9003) is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. [evilginx2](https://attack.mitre.org/software/S9003) can be used as a reverse proxy between victims and legitimate web…

Campaign (1)

Operation Dream Job uses

Contact About Legal notice Privacy policy Terms of use