T1497.003: T1497.003

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 06/03/2020 22:11 · Modified 13/04/2026 17:17

Essential information

MITRE technique ID: T1497.003
Confidence: 100/100
Revoked: No
Published: 06/03/2020 22:11
Modified: 13/04/2026 17:17
Author / Source: The MITRE Corporation

Aliases

Time Based Checks

Platforms

windows macos linux

Description

Adversaries may employ various time-based methods to detect virtualization and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. This may include enumerating time-based properties, such as uptime or the system clock. Adversaries may use calls like `GetTickCount` and `GetSystemTimeAsFileTime` to discover if they are operating within a virtual machine or sandbox, or may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment's timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion
mitre-attack	discovery

Marking (TLP)

External references

mitre-attack (T1497.003)
ISACA Malware Tricks

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (20)

Hunters International uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNC5174 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Vect uses

Ransomware.Live Confidence 100

No description available

First seen 01/01/1970 · Last seen 16/11/5138 ·
SLOW#TEMPEST uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
UNK_CraftyCamel uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
ShadyPanda uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LofyGang uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DPRK uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Gamaredon uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Winnti uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
GlassWorm uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
MuddyWater uses Earth VetalaStatic Kitten

The MITRE Corporation Confidence 100

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

1–12 of 20

EvilBunny uses
Snip3 uses
HelloBot uses
FormBook uses

Family
SVCReady uses
GIFTEDCROOK uses

Family
AlienReverse uses
Vect uses

Family
Covenant Grunt uses

Family
GOSAR uses

Family
MuddyViper uses

Family
BruteRatel C4 uses

Family

← Previous

Page / 7

1–12 of 81

LummaStealer dropped via fake updates from itch.io and … related

11 MITREs 1 Malware 5 Observables
4.3 Million Browsers Infected: Inside ShadyPanda's 7-Year Malware … related

20 MITREs 3 Malwares 1 APT
Operation DRAGONCLONE: Chinese Telecom Targeted by Malware related

13 MITREs 4 Malwares 1 APT
Operation HollowQuill: Russian R&D Networks Targeted via Decoy … related

8 MITREs 1 Malware 2 Observables
Call It What You Want: Threat Actor Delivers … related

11 MITREs 1 Malware 1 APT
Under the SADBRIDGE with GOSAR: QUASAR Gets a … related

11 MITREs 3 Malwares 13 Observables 1 APT
Analysis report on recent phishing attacks by APT-C-48 … related

15 MITREs 5 Observables 1 APT
The Evolution of a Cyber Threat: From JinxLoader … related

8 MITREs 4 Malwares 6 Observables
Raspberry Robin Analysis related

2 CVEs 20 MITREs 2 Malwares 126 Observables
New Ymir ransomware discovered used together with RustyStealer related

9 MITREs 3 Malwares
New Ymir ransomware discovered used together with RustyStealer … related

9 MITREs 3 Malwares 12 Observables
SharpRhino – New Hunters International RAT related

14 MITREs 1 Malware 6 Observables 1 APT

← Previous

Page / 3

13–24 of 26

Vulnerabilities (CVE) (13)

CVE-2025-6218 KEV targets

RARLAB WinRAR contains a path traversal vulnerability allowing an attacker to execute code in the context of the current user.

Published: 09/12/2025
Modified: 21/12/2025

CVE-2026-21509 KEV targets

7.8 High

Microsoft Office contains a security feature bypass vulnerability in which reliance on untrusted inputs in a security decision in Microsoft Office could …

Attack vector: LOCAL
Published: 26/01/2026
Modified: 27/03/2026

Analyzed

CVE-2023-46604 KEV targets

10.0 Critical

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …

Attack vector: Network
Published: 02/11/2023
Modified: 21/12/2025

CVE-2021-31207 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for security feature bypass.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2021-31969 targets

CVE-2025-2857 targets

10.0 Critical

Following the recent Chrome sandbox escape (CVE-2025-2783), various Firefox developers identified a similar pattern in our IPC code. A compromised child process …

Attack vector: Network
Complexity: Low
Published: 27/03/2025
Modified: 13/04/2026

CWE-668 Awaiting Analysis

CVE-2024-26229 targets

CVE-2021-34473 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.

Published: 03/11/2021
Modified: 29/05/2026

CVE-2024-1709 KEV targets

10.0 Critical

ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …

Attack vector: Network
Published: 22/02/2024
Modified: 28/02/2026

CVE-2021-34523 KEV targets

Microsoft Exchange Server contains an unspecified vulnerability that allows for privilege escalation.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

CVE-2025-31324 KEV targets

10.0 Critical

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …

Attack vector: Network
Published: 29/04/2025
Modified: 21/12/2025

Received

← Previous

Page / 2

1–12 of 13

T1497 subtechnique-of

Virtualization/Sandbox Evasion MITRE

Tool (2)

Brute Ratel C4 uses

The MITRE Corporation Confidence 100

[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by…
evilginx2 uses

The MITRE Corporation Confidence 75

[evilginx2](https://attack.mitre.org/software/S9003) is an open-source adversary-in-the-middle (AiTM) attack framework based on the open-source nginx web server. [evilginx2](https://attack.mitre.org/software/S9003) can be used as a reverse proxy between victims and legitimate web…

Campaign (1)

Operation Dream Job uses

Contact About Legal notice Privacy policy Terms of use