Detect Hypervisor in Microsoft Sentinel
Adversaries may install a type-1 hypervisor below the operating system to achieve persistent, stealthy access that survives reboots and is hidden from the guest OS. A malicious hypervisor intercepts hardware-level operations and can conceal its presence from all software running above it, including security tools and the OS kernel. This technique has been deprecated by MITRE ATT&CK but remains relevant for detection engineering due to its theoretical use by sophisticated threat actors and nation-state groups targeting high-value environments. Practical implementations include Blue Pill-style subvirt attacks, malicious Xen-based hypervisors, or abuse of legitimate hypervisor platforms (Hyper-V, VMware) as persistence anchors. Detection relies on pre-installation indicators (hypervisor binary drops, boot configuration changes, driver installs) since post-installation detection from inside the guest OS is unreliable.
MITRE ATT&CK
- Tactic
- Persistence
- Canonical reference
- https://attack.mitre.org/techniques/T1062/
KQL Detection Query
let HypervisorTools = dynamic([
"xen", "bluePill", "vmmkit", "subvirt", "bluepill",
"hvloader", "hypervisor", "vmm.exe", "hv.exe"
]);
let SuspiciousBcdeditArgs = dynamic([
"hypervisorlaunchtype", "hypervisordebugtype", "hypervisordebugport",
"hypervisorbaudrate", "hypervisorloadoptions", "hypervisorschedulertype",
"testsigning on", "nointegritychecks on", "loadoptions hypervisor"
]);
let SuspiciousDriverNames = dynamic([
"xen.sys", "xenbus.sys", "xennet.sys", "xenvbd.sys", "xenvif.sys",
"hvax64.exe", "hvix64.exe", "hvloader.exe", "winhvr.sys", "hvload"
]);
// Branch 1: Suspicious bcdedit invocations modifying hypervisor boot settings
let BcdeditHypervisor = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "bcdedit.exe"
| where ProcessCommandLine has_any (SuspiciousBcdeditArgs)
| extend DetectionBranch = "BcdeditHypervisorConfig"
| extend RiskIndicator = "Boot configuration modified for hypervisor loading";
// Branch 2: Suspicious driver files associated with hypervisors dropped to disk
let HypervisorDriverDrop = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any ("\\System32\\drivers\\", "\\SysWOW64\\drivers\\", "\\EFI\\", "\\Boot\\")
| where FileName has_any (SuspiciousDriverNames)
| extend DetectionBranch = "HypervisorDriverDrop"
| extend RiskIndicator = "Hypervisor-associated driver written to system directory";
// Branch 3: Service creation installing hypervisor-related drivers
let HypervisorServiceInstall = DeviceRegistryEvents
| where Timestamp > ago(24h)
| where ActionType in ("RegistryKeyCreated", "RegistryValueSet")
| where RegistryKey has @"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services"
| where RegistryValueData has_any (SuspiciousDriverNames) or RegistryKey has_any (HypervisorTools)
| extend DetectionBranch = "HypervisorServiceInstall"
| extend RiskIndicator = "Registry service entry created for potential hypervisor driver";
// Branch 4: Process creating or accessing EFI/boot sector files (pre-install staging)
let BootSectorAccess = DeviceFileEvents
| where Timestamp > ago(24h)
| where FolderPath has_any ("\\EFI\\Microsoft\\Boot\\", "\\EFI\\Boot\\", "\\Boot\\BCD", "\\bootmgfw.efi", "\\bootmgr")
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where not (InitiatingProcessFileName has_any ("TrustedInstaller.exe", "wuauclt.exe", "svchost.exe", "MoUsoCoreWorker.exe"))
| extend DetectionBranch = "BootSectorModification"
| extend RiskIndicator = "EFI or boot file modified by non-trusted process";
union BcdeditHypervisor, HypervisorDriverDrop, HypervisorServiceInstall, BootSectorAccess
| project Timestamp, DeviceName, AccountName,
FileName, ProcessCommandLine, FolderPath, RegistryKey, RegistryValueData,
InitiatingProcessFileName, InitiatingProcessCommandLine,
DetectionBranch, RiskIndicator
| sort by Timestamp descDetects indicators of malicious hypervisor installation or boot-level persistence across four detection branches: (1) bcdedit commands modifying hypervisor launch settings such as enabling test signing or setting hypervisorlaunchtype, (2) known hypervisor driver files dropped to system driver directories or EFI partition paths, (3) registry service entries created for hypervisor-associated binaries, and (4) unauthorized modification of EFI boot files by non-trusted system processes. Since detection from within a guest OS after a type-1 hypervisor installs is unreliable, this detection focuses on pre-installation and installation-time artifacts available in Defender for Endpoint telemetry.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Hyper-V or Windows Hypervisor Platform enablement via Windows Features — generates bcdedit hypervisorlaunchtype changes during install
- VMware Workstation or VirtualBox installation on developer machines that install kernel-mode drivers to system directories
- Windows Subsystem for Android or WSL2 enabling Hyper-V hypervisor support via bcdedit commands during feature activation
- Enterprise virtualization products (Citrix, Parallels, Nutanix AHV agents) installing Xen-compatible PV drivers to System32\drivers
- Windows Update or Windows Recovery Environment modifying EFI and BCD files during cumulative update installation
Other platforms for T1062
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enable Hyper-V Hypervisor via bcdedit (Boot Configuration Change)
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set hypervisorlaunchtype auto'. Security Event ID 4688 (if command line auditing enabled). Parent process will be the test runner (cmd.exe or PowerShell).
- Test 2Disable Driver Signature Enforcement via bcdedit (Prerequisite for Unsigned Hypervisor)
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine='bcdedit /set nointegritychecks on'. Security Event ID 4688 with same command. Microsoft-Windows-CodeIntegrity/Operational may log subsequent policy change at next boot.
- Test 3Create Fake Hypervisor Driver Service Registry Entry
Expected signal: Security Event ID 7045 (Service Control Manager: new service installed) with ServiceName=ArgusTestHV, ServiceType=kernel driver, StartType=boot start, ServiceFileName=C:\Windows\System32\drivers\argus_hv_test.sys. Sysmon Event ID 13 (Registry value set) for HKLM\SYSTEM\CurrentControlSet\Services\ArgusTestHV entries including ImagePath, Start (value 0 = boot), and Type.
- Test 4Drop Suspicious Driver File to System32\drivers (Staging Simulation)
Expected signal: Sysmon Event ID 11 (File Create) with TargetFilename=C:\Windows\System32\drivers\xentest.sys and Image=cmd.exe or powershell.exe. The file will be created but is a renamed benign executable — SHA256 will match notepad.exe.
- Test 5Enable Test Signing Mode (Unsigned Driver Loading Prerequisite)
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine='bcdedit /set testsigning on'. Security Event ID 4688 with same content. Windows boot splash screen will show 'Test Mode' watermark after next reboot. Microsoft-Windows-CodeIntegrity/Operational logs policy change.
References (10)
- https://attack.mitre.org/techniques/T1062/
- https://en.wikipedia.org/wiki/Hypervisor
- https://capec.mitre.org/data/definitions/552.html
- http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.90.8832&rep=rep1&type=pdf
- https://learn.microsoft.com/en-us/windows-hardware/drivers/install/kernel-mode-code-signing-requirements--windows-vista-and-later-
- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/bcdedit-command-line-options
- https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
- https://learn.microsoft.com/en-us/windows/security/hardware-security/tpm/trusted-platform-module-overview
- https://github.com/tandasat/HyperPlatform
- https://github.com/ionescu007/SimpleVisor
Unlock Pro Content
Get the full detection package for T1062 including response playbook, investigation guide, and atomic red team tests.