T1062 IBM QRadar · QRadar

Detect Hypervisor in IBM QRadar

Adversaries may install a type-1 hypervisor below the operating system to achieve persistent, stealthy access that survives reboots and is hidden from the guest OS. A malicious hypervisor intercepts hardware-level operations and can conceal its presence from all software running above it, including security tools and the OS kernel. This technique has been deprecated by MITRE ATT&CK but remains relevant for detection engineering due to its theoretical use by sophisticated threat actors and nation-state groups targeting high-value environments. Practical implementations include Blue Pill-style subvirt attacks, malicious Xen-based hypervisors, or abuse of legitimate hypervisor platforms (Hyper-V, VMware) as persistence anchors. Detection relies on pre-installation indicators (hypervisor binary drops, boot configuration changes, driver installs) since post-installation detection from inside the guest OS is unreliable.

MITRE ATT&CK

Tactic
Persistence
Canonical reference
https://attack.mitre.org/techniques/T1062/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  username,
  sourceip,
  hostname,
  QIDNAME(qid) AS event_name,
  "CommandLine" AS command_line,
  "TargetFilename" AS target_filename,
  "TargetObject" AS registry_key,
  "Details" AS registry_value,
  "ImageLoaded" AS driver_loaded,
  "ServiceFileName" AS service_filename,
  CASE
    WHEN EventID = '1' AND LOWER("CommandLine") ILIKE '%bcdedit%'
      AND (LOWER("CommandLine") ILIKE '%hypervisorlaunchtype%'
        OR LOWER("CommandLine") ILIKE '%hypervisordebugtype%'
        OR LOWER("CommandLine") ILIKE '%hypervisorloadoptions%'
        OR LOWER("CommandLine") ILIKE '%testsigning%'
        OR LOWER("CommandLine") ILIKE '%nointegritychecks%'
        OR LOWER("CommandLine") ILIKE '%hypervisordebugport%')
      THEN 'BcdeditHypervisorConfig'
    WHEN EventID = '11'
      AND (LOWER("TargetFilename") ILIKE '%xen.sys%'
        OR LOWER("TargetFilename") ILIKE '%xenbus.sys%'
        OR LOWER("TargetFilename") ILIKE '%xennet.sys%'
        OR LOWER("TargetFilename") ILIKE '%xenvbd.sys%'
        OR LOWER("TargetFilename") ILIKE '%winhvr.sys%'
        OR LOWER("TargetFilename") ILIKE '%hvax64.exe%'
        OR LOWER("TargetFilename") ILIKE '%hvix64.exe%'
        OR LOWER("TargetFilename") ILIKE '%hvloader.exe%')
      AND (LOWER("TargetFilename") ILIKE '%system32\\drivers%'
        OR LOWER("TargetFilename") ILIKE '%syswow64\\drivers%'
        OR LOWER("TargetFilename") ILIKE '%\\efi\\%'
        OR LOWER("TargetFilename") ILIKE '%\\boot\\%')
      THEN 'HypervisorDriverDrop'
    WHEN EventID = '13'
      AND LOWER("TargetObject") ILIKE '%currentcontrolset\\services%'
      AND (LOWER("Details") ILIKE '%xen.sys%'
        OR LOWER("Details") ILIKE '%xenbus.sys%'
        OR LOWER("Details") ILIKE '%hvloader%'
        OR LOWER("Details") ILIKE '%bluepill%'
        OR LOWER("Details") ILIKE '%subvirt%')
      THEN 'HypervisorServiceInstall'
    WHEN EventID = '6'
      AND (LOWER("ImageLoaded") ILIKE '%xen.sys%'
        OR LOWER("ImageLoaded") ILIKE '%xenbus.sys%'
        OR LOWER("ImageLoaded") ILIKE '%winhvr.sys%'
        OR LOWER("ImageLoaded") ILIKE '%hvax64.exe%'
        OR LOWER("ImageLoaded") ILIKE '%bluepill%')
      THEN 'SuspiciousDriverLoad'
    WHEN EventID = '7045'
      AND (LOWER("ServiceFileName") ILIKE '%xen%'
        OR LOWER("ServiceFileName") ILIKE '%hvloader%'
        OR LOWER("ServiceFileName") ILIKE '%bluepill%'
        OR LOWER("ServiceFileName") ILIKE '%subvirt%'
        OR LOWER("ServiceFileName") ILIKE '%vmm.exe%')
      THEN 'HypervisorServiceSecurity'
    ELSE NULL
  END AS detection_branch
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) IN (12, 13, 14, 15, 253, 357)
  AND starttime > NOW() - 86400000
  AND (
    (EventID = '1' AND LOWER("CommandLine") ILIKE '%bcdedit%'
      AND (LOWER("CommandLine") ILIKE '%hypervisorlaunchtype%'
        OR LOWER("CommandLine") ILIKE '%hypervisordebugtype%'
        OR LOWER("CommandLine") ILIKE '%hypervisorloadoptions%'
        OR LOWER("CommandLine") ILIKE '%testsigning%'
        OR LOWER("CommandLine") ILIKE '%nointegritychecks%'))
    OR
    (EventID = '11'
      AND (LOWER("TargetFilename") ILIKE '%xen.sys%' OR LOWER("TargetFilename") ILIKE '%xenbus.sys%'
        OR LOWER("TargetFilename") ILIKE '%winhvr.sys%' OR LOWER("TargetFilename") ILIKE '%hvloader.exe%')
      AND (LOWER("TargetFilename") ILIKE '%system32\\drivers%' OR LOWER("TargetFilename") ILIKE '%\\efi\\%'))
    OR
    (EventID = '13' AND LOWER("TargetObject") ILIKE '%currentcontrolset\\services%'
      AND (LOWER("Details") ILIKE '%xen.sys%' OR LOWER("Details") ILIKE '%hvloader%'
        OR LOWER("Details") ILIKE '%bluepill%' OR LOWER("Details") ILIKE '%subvirt%'))
    OR
    (EventID = '6'
      AND (LOWER("ImageLoaded") ILIKE '%xen.sys%' OR LOWER("ImageLoaded") ILIKE '%xenbus.sys%'
        OR LOWER("ImageLoaded") ILIKE '%winhvr.sys%' OR LOWER("ImageLoaded") ILIKE '%bluepill%'))
    OR
    (EventID = '7045'
      AND (LOWER("ServiceFileName") ILIKE '%xen%' OR LOWER("ServiceFileName") ILIKE '%hvloader%'
        OR LOWER("ServiceFileName") ILIKE '%bluepill%' OR LOWER("ServiceFileName") ILIKE '%subvirt%'))
  )
ORDER BY starttime DESC
critical severity medium confidence

QRadar AQL query detecting T1062 Hypervisor installation pre-indicators from Windows Sysmon and Security event logs. Covers bcdedit hypervisor boot configuration changes (Sysmon EID 1), hypervisor driver file creation in system paths (Sysmon EID 11), registry service entries for hypervisor drivers (Sysmon EID 13), suspicious kernel driver loads (Sysmon EID 6), and new service installation with hypervisor binary names (Security EID 7045).

Data Sources

Microsoft Windows Sysmon (LOGSOURCETYPEID 253 or 357)Microsoft Windows Security Event Log (LOGSOURCETYPEID 12 or 13)

Required Tables

events

False Positives & Tuning

  • Legitimate Hyper-V role installation on Windows Server systems, which triggers bcdedit hypervisorlaunchtype changes and winhvr.sys driver registration through standard Windows feature management.
  • Cloud provider Windows instances running as Xen-based VMs (AWS EC2 older generation instances) where Xen PV drivers (xen.sys, xenbus.sys, xenvbd.sys) are installed as part of the standard AWS PV Driver package.
  • VMware ESXi management agents or VirtIO driver installation on guest VMs running in approved virtualization infrastructure, which may register services with matching driver path patterns.
  • IT asset management or MDM tooling that modifies BCD store as part of remote boot configuration management during authorized maintenance windows.
Download portable Sigma rule (.yml)

Other platforms for T1062

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enable Hyper-V Hypervisor via bcdedit (Boot Configuration Change)

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set hypervisorlaunchtype auto'. Security Event ID 4688 (if command line auditing enabled). Parent process will be the test runner (cmd.exe or PowerShell).

  2. Test 2Disable Driver Signature Enforcement via bcdedit (Prerequisite for Unsigned Hypervisor)

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine='bcdedit /set nointegritychecks on'. Security Event ID 4688 with same command. Microsoft-Windows-CodeIntegrity/Operational may log subsequent policy change at next boot.

  3. Test 3Create Fake Hypervisor Driver Service Registry Entry

    Expected signal: Security Event ID 7045 (Service Control Manager: new service installed) with ServiceName=ArgusTestHV, ServiceType=kernel driver, StartType=boot start, ServiceFileName=C:\Windows\System32\drivers\argus_hv_test.sys. Sysmon Event ID 13 (Registry value set) for HKLM\SYSTEM\CurrentControlSet\Services\ArgusTestHV entries including ImagePath, Start (value 0 = boot), and Type.

  4. Test 4Drop Suspicious Driver File to System32\drivers (Staging Simulation)

    Expected signal: Sysmon Event ID 11 (File Create) with TargetFilename=C:\Windows\System32\drivers\xentest.sys and Image=cmd.exe or powershell.exe. The file will be created but is a renamed benign executable — SHA256 will match notepad.exe.

  5. Test 5Enable Test Signing Mode (Unsigned Driver Loading Prerequisite)

    Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine='bcdedit /set testsigning on'. Security Event ID 4688 with same content. Windows boot splash screen will show 'Test Mode' watermark after next reboot. Microsoft-Windows-CodeIntegrity/Operational logs policy change.

Last updated: 2026-04-16 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1062 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1014RootkitT1542.001System FirmwareT1542.003BootkitT1543.003Windows ServiceT1547.001Registry Run Keys / Startup FolderT1553.006Code Signing Policy ModificationT1574.010Services File Permissions WeaknessT1497Virtualization/Sandbox Evasion

Same Tactic: Persistence

Popular Detections