T1062

Hypervisor

Adversaries may install a type-1 hypervisor below the operating system to achieve persistent, stealthy access that survives reboots and is hidden from the guest OS. A malicious hypervisor intercepts hardware-level operations and can conceal its presence from all software running above it, including security tools and the OS kernel. This technique has been deprecated by MITRE ATT&CK but remains relevant for detection engineering due to its theoretical use by sophisticated threat actors and nation-state groups targeting high-value environments. Practical implementations include Blue Pill-style subvirt attacks, malicious Xen-based hypervisors, or abuse of legitimate hypervisor platforms (Hyper-V, VMware) as persistence anchors. Detection relies on pre-installation indicators (hypervisor binary drops, boot configuration changes, driver installs) since post-installation detection from inside the guest OS is unreliable.

Microsoft Sentinel / Defender

kusto

let HypervisorTools = dynamic([
  "xen", "bluePill", "vmmkit", "subvirt", "bluepill",
  "hvloader", "hypervisor", "vmm.exe", "hv.exe"
]);
let SuspiciousBcdeditArgs = dynamic([
  "hypervisorlaunchtype", "hypervisordebugtype", "hypervisordebugport",
  "hypervisorbaudrate", "hypervisorloadoptions", "hypervisorschedulertype",
  "testsigning on", "nointegritychecks on", "loadoptions hypervisor"
]);
let SuspiciousDriverNames = dynamic([
  "xen.sys", "xenbus.sys", "xennet.sys", "xenvbd.sys", "xenvif.sys",
  "hvax64.exe", "hvix64.exe", "hvloader.exe", "winhvr.sys", "hvload"
]);
// Branch 1: Suspicious bcdedit invocations modifying hypervisor boot settings
let BcdeditHypervisor = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "bcdedit.exe"
| where ProcessCommandLine has_any (SuspiciousBcdeditArgs)
| extend DetectionBranch = "BcdeditHypervisorConfig"
| extend RiskIndicator = "Boot configuration modified for hypervisor loading";
// Branch 2: Suspicious driver files associated with hypervisors dropped to disk
let HypervisorDriverDrop = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any ("\\System32\\drivers\\", "\\SysWOW64\\drivers\\", "\\EFI\\", "\\Boot\\")
| where FileName has_any (SuspiciousDriverNames)
| extend DetectionBranch = "HypervisorDriverDrop"
| extend RiskIndicator = "Hypervisor-associated driver written to system directory";
// Branch 3: Service creation installing hypervisor-related drivers
let HypervisorServiceInstall = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryKeyCreated", "RegistryValueSet")
| where RegistryKey has @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services"
| where RegistryValueData has_any (SuspiciousDriverNames) or RegistryKey has_any (HypervisorTools)
| extend DetectionBranch = "HypervisorServiceInstall"
| extend RiskIndicator = "Registry service entry created for potential hypervisor driver";
// Branch 4: Process creating or accessing EFI/boot sector files (pre-install staging)
let BootSectorAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any ("\\EFI\\Microsoft\\Boot\\", "\\EFI\\Boot\\", "\\Boot\\BCD", "\\bootmgfw.efi", "\\bootmgr")
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where not (InitiatingProcessFileName has_any ("TrustedInstaller.exe", "wuauclt.exe", "svchost.exe", "MoUsoCoreWorker.exe"))
| extend DetectionBranch = "BootSectorModification"
| extend RiskIndicator = "EFI or boot file modified by non-trusted process";
union BcdeditHypervisor, HypervisorDriverDrop, HypervisorServiceInstall, BootSectorAccess
| project Timestamp, DeviceName, AccountName,
         FileName, ProcessCommandLine, FolderPath, RegistryKey, RegistryValueData,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         DetectionBranch, RiskIndicator
| sort by Timestamp desc

critical severity low confidence

Data Sources

Process: Process Creation File: File Creation Windows Registry: Registry Key Modification Driver: Driver Load Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents DeviceRegistryEvents

False Positives

Legitimate Hyper-V or Windows Hypervisor Platform enablement via Windows Features — generates bcdedit hypervisorlaunchtype changes during install
VMware Workstation or VirtualBox installation on developer machines that install kernel-mode drivers to system directories
Windows Subsystem for Android or WSL2 enabling Hyper-V hypervisor support via bcdedit commands during feature activation
Enterprise virtualization products (Citrix, Parallels, Nutanix AHV agents) installing Xen-compatible PV drivers to System32\drivers
Windows Update or Windows Recovery Environment modifying EFI and BCD files during cumulative update installation

Splunk

spl

index=wineventlog (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:System")
| eval DetectionBranch=null(), RiskIndicator=null()
```Branch 1: bcdedit modifying hypervisor boot settings (Sysmon EventCode=1)```
| eval DetectionBranch=if(EventCode=1 AND match(lower(CommandLine), "bcdedit") AND match(lower(CommandLine), "(hypervisorlaunchtype|hypervisordebugtype|hypervisorloadoptions|testsigning|nointegritychecks|hypervisordebugport|hypervisorbaudrate)"), "BcdeditHypervisorConfig", DetectionBranch)
| eval RiskIndicator=if(DetectionBranch="BcdeditHypervisorConfig", "Boot configuration modified to enable or configure hypervisor", RiskIndicator)
```Branch 2: Hypervisor driver dropped to system paths (Sysmon EventCode=11)```
| eval DetectionBranch=if(EventCode=11 AND match(lower(TargetFilename), "(xen\.sys|xenbus\.sys|xennet\.sys|xenvbd\.sys|winhvr\.sys|hvax64\.exe|hvix64\.exe|hvloader\.exe)") AND match(lower(TargetFilename), "(system32\\drivers|syswow64\\drivers|\\efi\\|\\boot\\)"), "HypervisorDriverDrop", DetectionBranch)
| eval RiskIndicator=if(DetectionBranch="HypervisorDriverDrop", "Hypervisor-associated driver written to privileged system directory", RiskIndicator)
```Branch 3: Hypervisor service registered in registry (Sysmon EventCode=13)```
| eval DetectionBranch=if(EventCode=13 AND match(lower(TargetObject), "currentcontrolset\\services") AND match(lower(Details), "(xen\.sys|xenbus\.sys|hvloader|bluePill|subvirt)"), "HypervisorServiceInstall", DetectionBranch)
| eval RiskIndicator=if(DetectionBranch="HypervisorServiceInstall", "Registry service entry created for hypervisor driver", RiskIndicator)
```Branch 4: Suspicious driver loaded (Sysmon EventCode=6)```
| eval DetectionBranch=if(EventCode=6 AND match(lower(ImageLoaded), "(xen\.sys|xenbus\.sys|winhvr\.sys|hvax64\.exe|bluePill)"), "SuspiciousDriverLoad", DetectionBranch)
| eval RiskIndicator=if(DetectionBranch="SuspiciousDriverLoad", "Known hypervisor-associated driver loaded into kernel", RiskIndicator)
```Branch 5: Service install via Security log (EventCode=7045)```
| eval DetectionBranch=if(EventCode=7045 AND match(lower(ServiceFileName), "(xen|hvloader|bluePill|subvirt|vmm\.exe)"), "HypervisorServiceSecurity", DetectionBranch)
| eval RiskIndicator=if(DetectionBranch="HypervisorServiceSecurity", "New kernel service installed matching hypervisor binary names", RiskIndicator)
| where isnotnull(DetectionBranch)
| eval actor=coalesce(User, SubjectUserName, "unknown")
| table _time, host, actor, DetectionBranch, RiskIndicator, CommandLine, TargetFilename, TargetObject, Details, ImageLoaded, ServiceFileName, Image, ParentImage
| sort - _time

critical severity low confidence

Data Sources

Process: Process Creation File: File Creation Driver: Driver Load Windows Registry: Registry Key Modification Sysmon Event ID 1 Sysmon Event ID 6 Sysmon Event ID 11 Sysmon Event ID 13 Security Event ID 7045

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security WinEventLog:System

False Positives

Enabling Hyper-V or Windows Hypervisor Platform via Windows Features triggers bcdedit hypervisorlaunchtype changes
VMware, VirtualBox, Citrix, or Parallels installing PV (paravirtualization) drivers including Xen-compatible components
WSL2 or Windows Subsystem for Android enabling Hyper-V via bcdedit during first activation
Enterprise VDI agents (Citrix Virtual Apps, Nutanix) that install Xen PV network and storage drivers to System32\drivers
Windows Update modifying BCD store and EFI files during feature updates or recovery environment maintenance

Elastic Security (EQL)

eql

any where
(
  /* Branch 1: bcdedit modifying hypervisor boot settings */
  (
    event.category == "process" and event.type == "start" and
    process.name : "bcdedit.exe" and
    process.args : ("*hypervisorlaunchtype*", "*hypervisordebugtype*", "*hypervisordebugport*", "*hypervisorbaudrate*", "*hypervisorloadoptions*", "*hypervisorschedulertype*", "*testsigning*", "*nointegritychecks*", "*loadoptions*hypervisor*")
  ) or
  /* Branch 2: Hypervisor driver dropped to privileged system paths */
  (
    event.category == "file" and event.type in ("creation", "change") and
    file.path : ("*\\System32\\drivers\\*", "*\\SysWOW64\\drivers\\*", "*\\EFI\\*", "*\\Boot\\*") and
    file.name : ("xen.sys", "xenbus.sys", "xennet.sys", "xenvbd.sys", "xenvif.sys", "hvax64.exe", "hvix64.exe", "hvloader.exe", "winhvr.sys", "hvload*")
  ) or
  /* Branch 3: Hypervisor service registered via registry */
  (
    event.category == "registry" and event.type in ("creation", "change") and
    registry.path : "*\\SYSTEM\\CurrentControlSet\\Services\\*" and
    (
      registry.data.strings : ("*xen.sys*", "*xenbus.sys*", "*hvloader*", "*bluePill*", "*subvirt*", "*vmm.exe*") or
      registry.key : ("*xen*", "*bluePill*", "*subvirt*", "*hvloader*", "*hypervisor*")
    )
  ) or
  /* Branch 4: Suspicious hypervisor-associated driver loaded into kernel */
  (
    event.category == "driver" and
    file.name : ("xen.sys", "xenbus.sys", "xenvbd.sys", "winhvr.sys", "hvax64.exe", "hvix64.exe", "bluepill*")
  ) or
  /* Branch 5: EFI or boot sector file modified by untrusted process */
  (
    event.category == "file" and event.type in ("creation", "change", "rename") and
    file.path : ("*\\EFI\\Microsoft\\Boot\\*", "*\\EFI\\Boot\\*", "*\\Boot\\BCD*", "*bootmgfw.efi*", "*bootmgr*") and
    not process.name : ("TrustedInstaller.exe", "wuauclt.exe", "svchost.exe", "MoUsoCoreWorker.exe", "WaaSMedicAgent.exe")
  )
)

critical severity medium confidence

Data Sources

Endpoint - Elastic Agent (endpoint.events.process) Endpoint - Elastic Agent (endpoint.events.file) Endpoint - Elastic Agent (endpoint.events.registry) Endpoint - Elastic Agent (endpoint.events.driver)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* logs-endpoint.events.registry-* logs-endpoint.events.driver-*

False Positives

Legitimate Hyper-V or WSL2 installation and configuration by system administrators using bcdedit to set hypervisorlaunchtype or testsigning for development environments.
Xen or VMware Tools installation on a legitimate server virtualization host where Xen paravirtualization drivers (xen.sys, xenbus.sys) are expected kernel components.
Windows Boot Manager updates during major OS upgrades or Windows Update patch cycles modifying EFI boot files via TrustedInstaller or MoUsoCoreWorker — ensure process exclusions are kept current.
Security researchers or penetration testers running Blue Pill or SubVirt proof-of-concept tools in authorized lab environments.
Backup and disaster recovery solutions (e.g., Veeam, Acronis) that interact with EFI partitions and BCD stores during bare-metal restore operations.

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  username,
  sourceip,
  hostname,
  QIDNAME(qid) AS event_name,
  "CommandLine" AS command_line,
  "TargetFilename" AS target_filename,
  "TargetObject" AS registry_key,
  "Details" AS registry_value,
  "ImageLoaded" AS driver_loaded,
  "ServiceFileName" AS service_filename,
  CASE
    WHEN EventID = '1' AND LOWER("CommandLine") ILIKE '%bcdedit%'
      AND (LOWER("CommandLine") ILIKE '%hypervisorlaunchtype%'
        OR LOWER("CommandLine") ILIKE '%hypervisordebugtype%'
        OR LOWER("CommandLine") ILIKE '%hypervisorloadoptions%'
        OR LOWER("CommandLine") ILIKE '%testsigning%'
        OR LOWER("CommandLine") ILIKE '%nointegritychecks%'
        OR LOWER("CommandLine") ILIKE '%hypervisordebugport%')
      THEN 'BcdeditHypervisorConfig'
    WHEN EventID = '11'
      AND (LOWER("TargetFilename") ILIKE '%xen.sys%'
        OR LOWER("TargetFilename") ILIKE '%xenbus.sys%'
        OR LOWER("TargetFilename") ILIKE '%xennet.sys%'
        OR LOWER("TargetFilename") ILIKE '%xenvbd.sys%'
        OR LOWER("TargetFilename") ILIKE '%winhvr.sys%'
        OR LOWER("TargetFilename") ILIKE '%hvax64.exe%'
        OR LOWER("TargetFilename") ILIKE '%hvix64.exe%'
        OR LOWER("TargetFilename") ILIKE '%hvloader.exe%')
      AND (LOWER("TargetFilename") ILIKE '%system32\\drivers%'
        OR LOWER("TargetFilename") ILIKE '%syswow64\\drivers%'
        OR LOWER("TargetFilename") ILIKE '%\\efi\\%'
        OR LOWER("TargetFilename") ILIKE '%\\boot\\%')
      THEN 'HypervisorDriverDrop'
    WHEN EventID = '13'
      AND LOWER("TargetObject") ILIKE '%currentcontrolset\\services%'
      AND (LOWER("Details") ILIKE '%xen.sys%'
        OR LOWER("Details") ILIKE '%xenbus.sys%'
        OR LOWER("Details") ILIKE '%hvloader%'
        OR LOWER("Details") ILIKE '%bluepill%'
        OR LOWER("Details") ILIKE '%subvirt%')
      THEN 'HypervisorServiceInstall'
    WHEN EventID = '6'
      AND (LOWER("ImageLoaded") ILIKE '%xen.sys%'
        OR LOWER("ImageLoaded") ILIKE '%xenbus.sys%'
        OR LOWER("ImageLoaded") ILIKE '%winhvr.sys%'
        OR LOWER("ImageLoaded") ILIKE '%hvax64.exe%'
        OR LOWER("ImageLoaded") ILIKE '%bluepill%')
      THEN 'SuspiciousDriverLoad'
    WHEN EventID = '7045'
      AND (LOWER("ServiceFileName") ILIKE '%xen%'
        OR LOWER("ServiceFileName") ILIKE '%hvloader%'
        OR LOWER("ServiceFileName") ILIKE '%bluepill%'
        OR LOWER("ServiceFileName") ILIKE '%subvirt%'
        OR LOWER("ServiceFileName") ILIKE '%vmm.exe%')
      THEN 'HypervisorServiceSecurity'
    ELSE NULL
  END AS detection_branch
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 15, 253, 357)
  AND starttime > NOW() - 86400000
  AND (
    (EventID = '1' AND LOWER("CommandLine") ILIKE '%bcdedit%'
      AND (LOWER("CommandLine") ILIKE '%hypervisorlaunchtype%'
        OR LOWER("CommandLine") ILIKE '%hypervisordebugtype%'
        OR LOWER("CommandLine") ILIKE '%hypervisorloadoptions%'
        OR LOWER("CommandLine") ILIKE '%testsigning%'
        OR LOWER("CommandLine") ILIKE '%nointegritychecks%'))
    OR
    (EventID = '11'
      AND (LOWER("TargetFilename") ILIKE '%xen.sys%' OR LOWER("TargetFilename") ILIKE '%xenbus.sys%'
        OR LOWER("TargetFilename") ILIKE '%winhvr.sys%' OR LOWER("TargetFilename") ILIKE '%hvloader.exe%')
      AND (LOWER("TargetFilename") ILIKE '%system32\\drivers%' OR LOWER("TargetFilename") ILIKE '%\\efi\\%'))
    OR
    (EventID = '13' AND LOWER("TargetObject") ILIKE '%currentcontrolset\\services%'
      AND (LOWER("Details") ILIKE '%xen.sys%' OR LOWER("Details") ILIKE '%hvloader%'
        OR LOWER("Details") ILIKE '%bluepill%' OR LOWER("Details") ILIKE '%subvirt%'))
    OR
    (EventID = '6'
      AND (LOWER("ImageLoaded") ILIKE '%xen.sys%' OR LOWER("ImageLoaded") ILIKE '%xenbus.sys%'
        OR LOWER("ImageLoaded") ILIKE '%winhvr.sys%' OR LOWER("ImageLoaded") ILIKE '%bluepill%'))
    OR
    (EventID = '7045'
      AND (LOWER("ServiceFileName") ILIKE '%xen%' OR LOWER("ServiceFileName") ILIKE '%hvloader%'
        OR LOWER("ServiceFileName") ILIKE '%bluepill%' OR LOWER("ServiceFileName") ILIKE '%subvirt%'))
  )
ORDER BY starttime DESC

critical severity medium confidence

Data Sources

Microsoft Windows Sysmon (LOGSOURCETYPEID 253 or 357) Microsoft Windows Security Event Log (LOGSOURCETYPEID 12 or 13)

Required Tables

events

False Positives

Legitimate Hyper-V role installation on Windows Server systems, which triggers bcdedit hypervisorlaunchtype changes and winhvr.sys driver registration through standard Windows feature management.
Cloud provider Windows instances running as Xen-based VMs (AWS EC2 older generation instances) where Xen PV drivers (xen.sys, xenbus.sys, xenvbd.sys) are installed as part of the standard AWS PV Driver package.
VMware ESXi management agents or VirtIO driver installation on guest VMs running in approved virtualization infrastructure, which may register services with matching driver path patterns.
IT asset management or MDM tooling that modifies BCD store as part of remote boot configuration management during authorized maintenance windows.

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=windows/system
| parse field=_raw "<EventID>*</EventID>" as EventID nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as Image nodrop
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as ParentImage nodrop
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| parse field=_raw "<Data Name='TargetObject'>*</Data>" as TargetObject nodrop
| parse field=_raw "<Data Name='Details'>*</Data>" as RegistryDetails nodrop
| parse field=_raw "<Data Name='ImageLoaded'>*</Data>" as ImageLoaded nodrop
| parse field=_raw "<Data Name='ServiceFileName'>*</Data>" as ServiceFileName nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as User nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as Computer nodrop
// Branch 1: bcdedit hypervisor boot config changes (Sysmon EID 1)
| eval DetectionBranch = if(
    EventID = "1"
    AND matches(toLowerCase(CommandLine), ".*bcdedit.*")
    AND matches(toLowerCase(CommandLine), ".*(hypervisorlaunchtype|hypervisordebugtype|hypervisorloadoptions|hypervisordebugport|hypervisorbaudrate|testsigning|nointegritychecks|hypervisorschedulertype).*"),
    "BcdeditHypervisorConfig", null)
| eval RiskIndicator = if(DetectionBranch = "BcdeditHypervisorConfig",
    "Boot configuration modified to enable or configure hypervisor loading", null)
// Branch 2: Hypervisor driver written to system paths (Sysmon EID 11)
| eval DetectionBranch = if(isnull(DetectionBranch)
    AND EventID = "11"
    AND matches(toLowerCase(TargetFilename), ".*(xen\.sys|xenbus\.sys|xennet\.sys|xenvbd\.sys|xenvif\.sys|hvax64\.exe|hvix64\.exe|hvloader\.exe|winhvr\.sys).*")
    AND matches(toLowerCase(TargetFilename), ".*(system32\\\\drivers|syswow64\\\\drivers|\\\\efi\\\\|\\\\boot\\\\).*"),
    "HypervisorDriverDrop", DetectionBranch)
| eval RiskIndicator = if(DetectionBranch = "HypervisorDriverDrop",
    "Hypervisor-associated driver written to privileged system directory", RiskIndicator)
// Branch 3: Registry service entry for hypervisor driver (Sysmon EID 13)
| eval DetectionBranch = if(isnull(DetectionBranch)
    AND EventID = "13"
    AND matches(toLowerCase(TargetObject), ".*currentcontrolset\\\\services.*")
    AND matches(toLowerCase(RegistryDetails), ".*(xen\.sys|xenbus\.sys|hvloader|bluepill|subvirt|vmm\.exe).*"),
    "HypervisorServiceInstall", DetectionBranch)
| eval RiskIndicator = if(DetectionBranch = "HypervisorServiceInstall",
    "Registry service entry created for hypervisor driver binary", RiskIndicator)
// Branch 4: Known hypervisor driver loaded into kernel (Sysmon EID 6)
| eval DetectionBranch = if(isnull(DetectionBranch)
    AND EventID = "6"
    AND matches(toLowerCase(ImageLoaded), ".*(xen\.sys|xenbus\.sys|xenvbd\.sys|winhvr\.sys|hvax64\.exe|bluepill).*"),
    "SuspiciousDriverLoad", DetectionBranch)
| eval RiskIndicator = if(DetectionBranch = "SuspiciousDriverLoad",
    "Known hypervisor-associated driver loaded into kernel address space", RiskIndicator)
// Branch 5: New service install with hypervisor binary names (Security EID 7045)
| eval DetectionBranch = if(isnull(DetectionBranch)
    AND EventID = "7045"
    AND matches(toLowerCase(ServiceFileName), ".*(xen|hvloader|bluepill|subvirt|vmm\.exe|hv\.exe).*"),
    "HypervisorServiceSecurity", DetectionBranch)
| eval RiskIndicator = if(DetectionBranch = "HypervisorServiceSecurity",
    "New kernel service installed matching hypervisor binary name patterns", RiskIndicator)
| where !isnull(DetectionBranch)
| fields _messagetime, Computer, User, EventID, DetectionBranch, RiskIndicator, CommandLine, Image, ParentImage, TargetFilename, TargetObject, RegistryDetails, ImageLoaded, ServiceFileName
| sort by _messagetime desc

critical severity medium confidence

Data Sources

Windows Sysmon (_sourceCategory=windows/sysmon) Windows Security Event Log (_sourceCategory=windows/security) Windows System Event Log (_sourceCategory=windows/system)

Required Tables

Windows Sysmon Operational log Windows Security log Windows System log

False Positives

Legitimate Hyper-V feature installation or update on Windows Server or Windows 10/11 Pro hosts triggers winhvr.sys driver registration and bcdedit hypervisorlaunchtype configuration changes through Windows Modules Installer.
AWS, Azure, or GCP Windows virtual machine instances where cloud provider PV/VirtIO drivers matching xen* naming patterns are installed or updated by cloud management agents.
Enterprise virtualization platform upgrades (VMware vCenter agent updates, Citrix XenServer tools) that modify boot configuration or register new kernel services with hypervisor-associated driver names.
Security product driver installations (EDR agents, AV kernel components) that interact with boot configuration as part of self-protection mechanisms may trigger bcdedit-related branches.

Google Chronicle / SecOps

yaral

rule t1062_hypervisor_install_indicators {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects T1062 Hypervisor pre-installation indicators including bcdedit boot configuration changes, hypervisor driver file drops, registry service entries for hypervisor binaries, and EFI/boot sector modification by untrusted processes."
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1062"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1062/"
    severity = "CRITICAL"
    priority = "HIGH"
    status = "PRODUCTION"
    created = "2026-04-16"

  events:
    (
      // Branch 1: bcdedit modifying hypervisor boot configuration
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)bcdedit\.exe`)
        and (
          re.regex($e.target.process.command_line, `(?i)hypervisorlaunchtype`) or
          re.regex($e.target.process.command_line, `(?i)hypervisordebugtype`) or
          re.regex($e.target.process.command_line, `(?i)hypervisorloadoptions`) or
          re.regex($e.target.process.command_line, `(?i)hypervisordebugport`) or
          re.regex($e.target.process.command_line, `(?i)hypervisorbaudrate`) or
          re.regex($e.target.process.command_line, `(?i)testsigning\s+on`) or
          re.regex($e.target.process.command_line, `(?i)nointegritychecks\s+on`) or
          re.regex($e.target.process.command_line, `(?i)loadoptions.*hypervisor`)
        )
      ) or
      // Branch 2: Hypervisor driver file dropped to system directories
      (
        $e.metadata.event_type = "FILE_CREATION"
        and (
          re.regex($e.target.file.full_path, `(?i)\\(system32|syswow64)\\drivers\\`) or
          re.regex($e.target.file.full_path, `(?i)\\EFI\\`) or
          re.regex($e.target.file.full_path, `(?i)\\Boot\\.`)
        )
        and (
          re.regex($e.target.file.full_path, `(?i)(xen\.sys|xenbus\.sys|xennet\.sys|xenvbd\.sys|xenvif\.sys)`) or
          re.regex($e.target.file.full_path, `(?i)(hvax64\.exe|hvix64\.exe|hvloader\.exe|winhvr\.sys)`)
        )
      ) or
      // Branch 3: Registry service key created for hypervisor driver
      (
        $e.metadata.event_type = "REGISTRY_CREATION"
        and re.regex($e.target.registry.registry_key, `(?i)CurrentControlSet\\Services`)
        and (
          re.regex($e.target.registry.registry_key, `(?i)(xen|hvloader|bluepill|subvirt|hypervisor)`) or
          re.regex($e.target.registry.registry_value_data, `(?i)(xen\.sys|xenbus\.sys|hvloader|bluepill|subvirt|vmm\.exe)`)
        )
      ) or
      // Branch 4: EFI or boot sector file modified by untrusted process
      (
        $e.metadata.event_type = "FILE_MODIFICATION"
        and (
          re.regex($e.target.file.full_path, `(?i)\\EFI\\(Microsoft|Boot)\\`) or
          re.regex($e.target.file.full_path, `(?i)(bootmgfw\.efi|bootmgr|\\Boot\\BCD)`)
        )
        and not re.regex($e.principal.process.file.full_path, `(?i)(TrustedInstaller\.exe|wuauclt\.exe|svchost\.exe|MoUsoCoreWorker\.exe|WaaSMedicAgent\.exe)`)
      ) or
      // Branch 5: Suspicious kernel driver load matching hypervisor names
      (
        $e.metadata.event_type = "DRIVER_LOAD"
        and (
          re.regex($e.target.file.full_path, `(?i)(xen\.sys|xenbus\.sys|xenvbd\.sys|winhvr\.sys|hvax64\.exe|bluepill)`) or
          re.regex($e.target.file.full_path, `(?i)(hvix64\.exe|hvloader\.exe|subvirt)`)
        )
      )
    )

  condition:
    $e
}

critical severity medium confidence

Data Sources

Windows Event Logs via Chronicle UDM ingestion (PROCESS_LAUNCH, FILE_CREATION, FILE_MODIFICATION, REGISTRY_CREATION, DRIVER_LOAD event types) Endpoint telemetry forwarded to Google Chronicle via Bindplane or direct Chronicle forwarder

Required Tables

UDM Events (PROCESS_LAUNCH) UDM Events (FILE_CREATION) UDM Events (FILE_MODIFICATION) UDM Events (REGISTRY_CREATION) UDM Events (DRIVER_LOAD)

False Positives

Hyper-V installation or Windows Subsystem for Linux 2 (WSL2) setup triggers legitimate winhvr.sys driver registration and bcdedit hypervisorlaunchtype configuration — correlate with Windows Update or IT change management records to distinguish.
Amazon EC2 Windows instances using Xen-based virtualization (older instance types) receive legitimate xen.sys, xenbus.sys, xenvbd.sys driver updates from the AWS PV Drivers installer package.
Enterprise virtualization environment provisioning scripts that configure test signing or disable integrity checks for internal driver development in authorized lab environments — correlate with approved change tickets.
Incident response or forensics tools that access EFI partitions for live triage (e.g., KAPE, Arsenal Image Mounter) may trigger boot sector file access alerts.

CrowdStrike LogScale (CQL)

cql

// T1062 Hypervisor Installation Pre-Indicators
// Branch 1: bcdedit modifying hypervisor boot configuration
#event_simpleName = ProcessRollup2
| FileName = /bcdedit\.exe/i
| CommandLine = /(hypervisorlaunchtype|hypervisordebugtype|hypervisorloadoptions|hypervisordebugport|hypervisorbaudrate|hypervisorschedulertype|testsigning\s+on|nointegritychecks\s+on|loadoptions.*hypervisor)/i
| eval DetectionBranch = "BcdeditHypervisorConfig"
| eval RiskIndicator = "Boot configuration modified to enable or configure hypervisor loading"
| table _timeutc, ComputerName, UserName, DetectionBranch, RiskIndicator, CommandLine, FileName, ParentBaseFileName

union

// Branch 2: Hypervisor driver file written to privileged system paths
#event_simpleName = PeFileWritten
| TargetFileName = /(xen\.sys|xenbus\.sys|xennet\.sys|xenvbd\.sys|xenvif\.sys|hvax64\.exe|hvix64\.exe|hvloader\.exe|winhvr\.sys)/i
| TargetFileName = /(\\system32\\drivers\\|\\syswow64\\drivers\\|\\EFI\\|\\Boot\\)/i
| eval DetectionBranch = "HypervisorDriverDrop"
| eval RiskIndicator = "Hypervisor-associated driver binary written to privileged system directory"
| table _timeutc, ComputerName, UserName, DetectionBranch, RiskIndicator, TargetFileName, ImageFileName

union

// Branch 3: Registry service key created or modified for hypervisor driver
#event_simpleName in (RegKeyCreated, RegValueSet)
| ObjectName = /CurrentControlSet\\Services/i
| (ObjectName = /(xen|hvloader|bluepill|subvirt|hypervisor)/i OR StringValue = /(xen\.sys|xenbus\.sys|hvloader|bluepill|subvirt|vmm\.exe)/i)
| eval DetectionBranch = "HypervisorServiceInstall"
| eval RiskIndicator = "Registry service entry created for potential hypervisor driver"
| table _timeutc, ComputerName, UserName, DetectionBranch, RiskIndicator, ObjectName, StringValue, ImageFileName

union

// Branch 4: Suspicious kernel driver loaded matching hypervisor binary names
#event_simpleName = DriverLoad
| ImageFileName = /(xen\.sys|xenbus\.sys|xenvbd\.sys|winhvr\.sys|hvax64\.exe|hvix64\.exe|hvloader\.exe|bluepill)/i
| eval DetectionBranch = "SuspiciousDriverLoad"
| eval RiskIndicator = "Known hypervisor-associated driver loaded into kernel"
| table _timeutc, ComputerName, UserName, DetectionBranch, RiskIndicator, ImageFileName, SHA256HashData

union

// Branch 5: EFI or boot sector file modified by untrusted process
#event_simpleName = PeFileWritten
| TargetFileName = /(\\EFI\\Microsoft\\Boot\\|\\EFI\\Boot\\|bootmgfw\.efi|bootmgr|\\Boot\\BCD)/i
| ImageFileName != /(TrustedInstaller\.exe|wuauclt\.exe|MoUsoCoreWorker\.exe|WaaSMedicAgent\.exe)/i
| eval DetectionBranch = "BootSectorModification"
| eval RiskIndicator = "EFI or boot file modified by non-trusted process"
| table _timeutc, ComputerName, UserName, DetectionBranch, RiskIndicator, TargetFileName, ImageFileName

| sortby _timeutc desc

critical severity medium confidence

Data Sources

CrowdStrike Falcon Endpoint Protection (ProcessRollup2) CrowdStrike Falcon Endpoint Protection (PeFileWritten) CrowdStrike Falcon Endpoint Protection (RegKeyCreated, RegValueSet) CrowdStrike Falcon Endpoint Protection (DriverLoad)

Required Tables

ProcessRollup2 PeFileWritten RegKeyCreated RegValueSet DriverLoad

False Positives

CrowdStrike Falcon sensor itself and other EDR kernel components may trigger DriverLoad events for their own self-protection drivers — maintain a whitelist of approved security product driver hashes in SHA256HashData exclusions.
Cloud-hosted Windows instances on AWS (Xen-based), Azure (Hyper-V), or GCP (KVM) receive legitimate hypervisor driver packages as part of cloud guest agent installation and update cycles, generating PeFileWritten events for xen.sys or winhvr.sys.
Windows feature installation of Hyper-V role or Device Guard / Credential Guard (which requires HVCI mode) triggers bcdedit hypervisorlaunchtype changes via TiWorker.exe or DISM — exclude by correlating with Windows Update activity.
Disaster recovery and backup vendors (Veeam, Commvault) that register boot-aware kernel drivers for VSS integration or bare-metal recovery may create registry service entries with driver paths matching hypervisor-associated patterns.

Last updated: 2026-04-16 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1062 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Hypervisor

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Persistence

Popular Detections