Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.[1] Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.[2]
Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.[3]
In VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid .vmx file with the /bin/vmx utility. Adding this command to /etc/rc.local.d/local.sh (i.e., RC Scripts) will cause the VM to persistently restart.[4] Creating a VM this way prevents it from appearing in the vCenter console or in the output to the vim-cmd vmsvc/getallvms command on the ESXi server, thereby hiding it from typical administrative activities.[5]
| ID | Name | Description |
|---|---|---|
| S0451 | LoudMiner |
LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.[6] |
| S0449 | Maze |
Maze operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine's configuration file mapped the shared network drives of the target company, presumably so Maze can encrypt files on the shared drives as well as the local machine.[7] |
| S0481 | Ragnar Locker |
Ragnar Locker has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables Ragnar Locker to encrypt files on the host operating system, including files on any mapped drives.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Periodically audit virtual machines for abnormalities. On ESXi servers, periodically compare the output of |
| M1042 | Disable or Remove Feature or Program |
Disable Hyper-V if not necessary within a given environment. |
| M1038 | Execution Prevention |
Use application control to mitigate installation and use of unapproved virtualization software. |
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
| DS0017 | Command | Command Execution |
Consider monitoring for commands and arguments that may be atypical for benign use of virtualization software. Usage of virtualization binaries or command-line arguments associated with running a silent installation may be especially suspect (ex. |
| DS0022 | File | File Creation |
Monitor for newly constructed files associated with running a virtual instance, such as binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). On ESXi servers, this includes new |
| DS0007 | Image | Image Metadata |
Consider monitoring the size of virtual machines running on the system. Adversaries may create virtual images which are smaller than those of typical virtual machines.[8] Network adapter information may also be helpful in detecting the use of virtual instances. |
| DS0009 | Process | Process Creation |
Monitor newly executed processes associated with running a virtual instance, such as those launched from binary files associated with common virtualization technologies (ex: VirtualBox, VMware, QEMU, Hyper-V). |
| DS0019 | Service | Service Creation |
Monitor for newly constructed services/daemons that may carry out malicious operations using a virtual instance to avoid detection. Consider monitoring for new Windows Service, with respect to virtualization software. |
| DS0024 | Windows Registry | Windows Registry Key Modification |
Monitor for changes made to Windows Registry keys and/or values that may be the result of using a virtual instance to avoid detection. For example, if virtualization software is installed by the adversary the Registry may provide detection opportunities. |