Detect Hypervisor in CrowdStrike LogScale
Adversaries may install a type-1 hypervisor below the operating system to achieve persistent, stealthy access that survives reboots and is hidden from the guest OS. A malicious hypervisor intercepts hardware-level operations and can conceal its presence from all software running above it, including security tools and the OS kernel. This technique has been deprecated by MITRE ATT&CK but remains relevant for detection engineering due to its theoretical use by sophisticated threat actors and nation-state groups targeting high-value environments. Practical implementations include Blue Pill-style subvirt attacks, malicious Xen-based hypervisors, or abuse of legitimate hypervisor platforms (Hyper-V, VMware) as persistence anchors. Detection relies on pre-installation indicators (hypervisor binary drops, boot configuration changes, driver installs) since post-installation detection from inside the guest OS is unreliable.
MITRE ATT&CK
- Tactic
- Persistence
- Canonical reference
- https://attack.mitre.org/techniques/T1062/
LogScale Detection Query
// T1062 Hypervisor Installation Pre-Indicators
// Branch 1: bcdedit modifying hypervisor boot configuration
#event_simpleName = ProcessRollup2
| FileName = /bcdedit\.exe/i
| CommandLine = /(hypervisorlaunchtype|hypervisordebugtype|hypervisorloadoptions|hypervisordebugport|hypervisorbaudrate|hypervisorschedulertype|testsigning\s+on|nointegritychecks\s+on|loadoptions.*hypervisor)/i
| eval DetectionBranch = "BcdeditHypervisorConfig"
| eval RiskIndicator = "Boot configuration modified to enable or configure hypervisor loading"
| table _timeutc, ComputerName, UserName, DetectionBranch, RiskIndicator, CommandLine, FileName, ParentBaseFileName
union
// Branch 2: Hypervisor driver file written to privileged system paths
#event_simpleName = PeFileWritten
| TargetFileName = /(xen\.sys|xenbus\.sys|xennet\.sys|xenvbd\.sys|xenvif\.sys|hvax64\.exe|hvix64\.exe|hvloader\.exe|winhvr\.sys)/i
| TargetFileName = /(\\system32\\drivers\\|\\syswow64\\drivers\\|\\EFI\\|\\Boot\\)/i
| eval DetectionBranch = "HypervisorDriverDrop"
| eval RiskIndicator = "Hypervisor-associated driver binary written to privileged system directory"
| table _timeutc, ComputerName, UserName, DetectionBranch, RiskIndicator, TargetFileName, ImageFileName
union
// Branch 3: Registry service key created or modified for hypervisor driver
#event_simpleName in (RegKeyCreated, RegValueSet)
| ObjectName = /CurrentControlSet\\Services/i
| (ObjectName = /(xen|hvloader|bluepill|subvirt|hypervisor)/i OR StringValue = /(xen\.sys|xenbus\.sys|hvloader|bluepill|subvirt|vmm\.exe)/i)
| eval DetectionBranch = "HypervisorServiceInstall"
| eval RiskIndicator = "Registry service entry created for potential hypervisor driver"
| table _timeutc, ComputerName, UserName, DetectionBranch, RiskIndicator, ObjectName, StringValue, ImageFileName
union
// Branch 4: Suspicious kernel driver loaded matching hypervisor binary names
#event_simpleName = DriverLoad
| ImageFileName = /(xen\.sys|xenbus\.sys|xenvbd\.sys|winhvr\.sys|hvax64\.exe|hvix64\.exe|hvloader\.exe|bluepill)/i
| eval DetectionBranch = "SuspiciousDriverLoad"
| eval RiskIndicator = "Known hypervisor-associated driver loaded into kernel"
| table _timeutc, ComputerName, UserName, DetectionBranch, RiskIndicator, ImageFileName, SHA256HashData
union
// Branch 5: EFI or boot sector file modified by untrusted process
#event_simpleName = PeFileWritten
| TargetFileName = /(\\EFI\\Microsoft\\Boot\\|\\EFI\\Boot\\|bootmgfw\.efi|bootmgr|\\Boot\\BCD)/i
| ImageFileName != /(TrustedInstaller\.exe|wuauclt\.exe|MoUsoCoreWorker\.exe|WaaSMedicAgent\.exe)/i
| eval DetectionBranch = "BootSectorModification"
| eval RiskIndicator = "EFI or boot file modified by non-trusted process"
| table _timeutc, ComputerName, UserName, DetectionBranch, RiskIndicator, TargetFileName, ImageFileName
| sortby _timeutc descCrowdStrike LogScale (Falcon) query detecting T1062 Hypervisor pre-installation indicators across five detection branches using Falcon event types: ProcessRollup2 for bcdedit hypervisor boot configuration changes, PeFileWritten for hypervisor driver drops to system paths, RegKeyCreated/RegValueSet for registry service entries, DriverLoad for suspicious kernel driver load events, and PeFileWritten for EFI/boot sector modification by untrusted processes.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor itself and other EDR kernel components may trigger DriverLoad events for their own self-protection drivers — maintain a whitelist of approved security product driver hashes in SHA256HashData exclusions.
- Cloud-hosted Windows instances on AWS (Xen-based), Azure (Hyper-V), or GCP (KVM) receive legitimate hypervisor driver packages as part of cloud guest agent installation and update cycles, generating PeFileWritten events for xen.sys or winhvr.sys.
- Windows feature installation of Hyper-V role or Device Guard / Credential Guard (which requires HVCI mode) triggers bcdedit hypervisorlaunchtype changes via TiWorker.exe or DISM — exclude by correlating with Windows Update activity.
- Disaster recovery and backup vendors (Veeam, Commvault) that register boot-aware kernel drivers for VSS integration or bare-metal recovery may create registry service entries with driver paths matching hypervisor-associated patterns.
Other platforms for T1062
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable Hyper-V Hypervisor via bcdedit (Boot Configuration Change)
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set hypervisorlaunchtype auto'. Security Event ID 4688 (if command line auditing enabled). Parent process will be the test runner (cmd.exe or PowerShell).
- Test 2Disable Driver Signature Enforcement via bcdedit (Prerequisite for Unsigned Hypervisor)
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine='bcdedit /set nointegritychecks on'. Security Event ID 4688 with same command. Microsoft-Windows-CodeIntegrity/Operational may log subsequent policy change at next boot.
- Test 3Create Fake Hypervisor Driver Service Registry Entry
Expected signal: Security Event ID 7045 (Service Control Manager: new service installed) with ServiceName=ArgusTestHV, ServiceType=kernel driver, StartType=boot start, ServiceFileName=C:\Windows\System32\drivers\argus_hv_test.sys. Sysmon Event ID 13 (Registry value set) for HKLM\SYSTEM\CurrentControlSet\Services\ArgusTestHV entries including ImagePath, Start (value 0 = boot), and Type.
- Test 4Drop Suspicious Driver File to System32\drivers (Staging Simulation)
Expected signal: Sysmon Event ID 11 (File Create) with TargetFilename=C:\Windows\System32\drivers\xentest.sys and Image=cmd.exe or powershell.exe. The file will be created but is a renamed benign executable — SHA256 will match notepad.exe.
- Test 5Enable Test Signing Mode (Unsigned Driver Loading Prerequisite)
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine='bcdedit /set testsigning on'. Security Event ID 4688 with same content. Windows boot splash screen will show 'Test Mode' watermark after next reboot. Microsoft-Windows-CodeIntegrity/Operational logs policy change.
References (10)
- https://attack.mitre.org/techniques/T1062/
- https://en.wikipedia.org/wiki/Hypervisor
- https://capec.mitre.org/data/definitions/552.html
- http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.90.8832&rep=rep1&type=pdf
- https://learn.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-requirements--windows-vista-and-later-
- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options
- https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
- https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview
- https://github.com/tandasat/HyperPlatform
- https://github.com/ionescu007/SimpleVisor
Unlock Pro Content
Get the full detection package for T1062 including response playbook, investigation guide, and atomic red team tests.