Which SIEM platforms have a T1062 detection rule?

df00tech provides T1062 (Hypervisor) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Hypervisor (T1062)?

Detecting Hypervisor requires the following data sources: Process: Process Creation, File: File Creation, Windows Registry: Registry Key Modification, Driver: Driver Load, Microsoft Defender for Endpoint.

What severity and confidence is the T1062 detection?

The T1062 detection is rated critical severity with low confidence.

What are common false positives for T1062?

Common false positives for T1062 include: Legitimate Hyper-V or Windows Hypervisor Platform enablement via Windows Features — generates bcdedit hypervisorlaunchtype changes during install; VMware Workstation or VirtualBox installation on developer machines that install kernel-mode drivers to system directories; Windows Subsystem for Android or WSL2 enabling Hyper-V hypervisor support via bcdedit commands during feature activation.

T1062 Sumo Logic CSE · Sumo

Detect Hypervisor in Sumo Logic CSE

Adversaries may install a type-1 hypervisor below the operating system to achieve persistent, stealthy access that survives reboots and is hidden from the guest OS. A malicious hypervisor intercepts hardware-level operations and can conceal its presence from all software running above it, including security tools and the OS kernel. This technique has been deprecated by MITRE ATT&CK but remains relevant for detection engineering due to its theoretical use by sophisticated threat actors and nation-state groups targeting high-value environments. Practical implementations include Blue Pill-style subvirt attacks, malicious Xen-based hypervisors, or abuse of legitimate hypervisor platforms (Hyper-V, VMware) as persistence anchors. Detection relies on pre-installation indicators (hypervisor binary drops, boot configuration changes, driver installs) since post-installation detection from inside the guest OS is unreliable.

MITRE ATT&CK

Tactic: Persistence
Canonical reference: https://attack.mitre.org/techniques/T1062/

Sumo Detection Query

Sumo Logic CSE (Sumo)

sql

_sourceCategory=windows/sysmon OR _sourceCategory=windows/security OR _sourceCategory=windows/system
| parse field=_raw "<EventID>*</EventID>" as EventID nodrop
| parse field=_raw "<Data Name='CommandLine'>*</Data>" as CommandLine nodrop
| parse field=_raw "<Data Name='Image'>*</Data>" as Image nodrop
| parse field=_raw "<Data Name='ParentImage'>*</Data>" as ParentImage nodrop
| parse field=_raw "<Data Name='TargetFilename'>*</Data>" as TargetFilename nodrop
| parse field=_raw "<Data Name='TargetObject'>*</Data>" as TargetObject nodrop
| parse field=_raw "<Data Name='Details'>*</Data>" as RegistryDetails nodrop
| parse field=_raw "<Data Name='ImageLoaded'>*</Data>" as ImageLoaded nodrop
| parse field=_raw "<Data Name='ServiceFileName'>*</Data>" as ServiceFileName nodrop
| parse field=_raw "<Data Name='User'>*</Data>" as User nodrop
| parse field=_raw "<Data Name='Computer'>*</Data>" as Computer nodrop
// Branch 1: bcdedit hypervisor boot config changes (Sysmon EID 1)
| eval DetectionBranch = if(
    EventID = "1"
    AND matches(toLowerCase(CommandLine), ".*bcdedit.*")
    AND matches(toLowerCase(CommandLine), ".*(hypervisorlaunchtype|hypervisordebugtype|hypervisorloadoptions|hypervisordebugport|hypervisorbaudrate|testsigning|nointegritychecks|hypervisorschedulertype).*"),
    "BcdeditHypervisorConfig", null)
| eval RiskIndicator = if(DetectionBranch = "BcdeditHypervisorConfig",
    "Boot configuration modified to enable or configure hypervisor loading", null)
// Branch 2: Hypervisor driver written to system paths (Sysmon EID 11)
| eval DetectionBranch = if(isnull(DetectionBranch)
    AND EventID = "11"
    AND matches(toLowerCase(TargetFilename), ".*(xen\.sys|xenbus\.sys|xennet\.sys|xenvbd\.sys|xenvif\.sys|hvax64\.exe|hvix64\.exe|hvloader\.exe|winhvr\.sys).*")
    AND matches(toLowerCase(TargetFilename), ".*(system32\\\\drivers|syswow64\\\\drivers|\\\\efi\\\\|\\\\boot\\\\).*"),
    "HypervisorDriverDrop", DetectionBranch)
| eval RiskIndicator = if(DetectionBranch = "HypervisorDriverDrop",
    "Hypervisor-associated driver written to privileged system directory", RiskIndicator)
// Branch 3: Registry service entry for hypervisor driver (Sysmon EID 13)
| eval DetectionBranch = if(isnull(DetectionBranch)
    AND EventID = "13"
    AND matches(toLowerCase(TargetObject), ".*currentcontrolset\\\\services.*")
    AND matches(toLowerCase(RegistryDetails), ".*(xen\.sys|xenbus\.sys|hvloader|bluepill|subvirt|vmm\.exe).*"),
    "HypervisorServiceInstall", DetectionBranch)
| eval RiskIndicator = if(DetectionBranch = "HypervisorServiceInstall",
    "Registry service entry created for hypervisor driver binary", RiskIndicator)
// Branch 4: Known hypervisor driver loaded into kernel (Sysmon EID 6)
| eval DetectionBranch = if(isnull(DetectionBranch)
    AND EventID = "6"
    AND matches(toLowerCase(ImageLoaded), ".*(xen\.sys|xenbus\.sys|xenvbd\.sys|winhvr\.sys|hvax64\.exe|bluepill).*"),
    "SuspiciousDriverLoad", DetectionBranch)
| eval RiskIndicator = if(DetectionBranch = "SuspiciousDriverLoad",
    "Known hypervisor-associated driver loaded into kernel address space", RiskIndicator)
// Branch 5: New service install with hypervisor binary names (Security EID 7045)
| eval DetectionBranch = if(isnull(DetectionBranch)
    AND EventID = "7045"
    AND matches(toLowerCase(ServiceFileName), ".*(xen|hvloader|bluepill|subvirt|vmm\.exe|hv\.exe).*"),
    "HypervisorServiceSecurity", DetectionBranch)
| eval RiskIndicator = if(DetectionBranch = "HypervisorServiceSecurity",
    "New kernel service installed matching hypervisor binary name patterns", RiskIndicator)
| where !isnull(DetectionBranch)
| fields _messagetime, Computer, User, EventID, DetectionBranch, RiskIndicator, CommandLine, Image, ParentImage, TargetFilename, TargetObject, RegistryDetails, ImageLoaded, ServiceFileName
| sort by _messagetime desc

critical severity medium confidence

Sumo Logic query detecting T1062 Hypervisor pre-installation indicators from Windows Sysmon and Security event logs. Parses XML event fields to identify bcdedit hypervisor boot configuration changes, hypervisor driver drops to system directories, registry service entries for known hypervisor binaries, suspicious kernel driver loads, and new service registration with hypervisor binary names.

Data Sources

Windows Sysmon (_sourceCategory=windows/sysmon)Windows Security Event Log (_sourceCategory=windows/security)Windows System Event Log (_sourceCategory=windows/system)

Required Tables

Windows Sysmon Operational logWindows Security logWindows System log

False Positives & Tuning

Legitimate Hyper-V feature installation or update on Windows Server or Windows 10/11 Pro hosts triggers winhvr.sys driver registration and bcdedit hypervisorlaunchtype configuration changes through Windows Modules Installer.
AWS, Azure, or GCP Windows virtual machine instances where cloud provider PV/VirtIO drivers matching xen* naming patterns are installed or updated by cloud management agents.
Enterprise virtualization platform upgrades (VMware vCenter agent updates, Citrix XenServer tools) that modify boot configuration or register new kernel services with hypervisor-associated driver names.
Security product driver installations (EDR agents, AV kernel components) that interact with boot configuration as part of self-protection mechanisms may trigger bcdedit-related branches.

Download portable Sigma rule (.yml)

Other platforms for T1062

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Enable Hyper-V Hypervisor via bcdedit (Boot Configuration Change)
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine containing '/set hypervisorlaunchtype auto'. Security Event ID 4688 (if command line auditing enabled). Parent process will be the test runner (cmd.exe or PowerShell).
Test 2Disable Driver Signature Enforcement via bcdedit (Prerequisite for Unsigned Hypervisor)
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine='bcdedit /set nointegritychecks on'. Security Event ID 4688 with same command. Microsoft-Windows-CodeIntegrity/Operational may log subsequent policy change at next boot.
Test 3Create Fake Hypervisor Driver Service Registry Entry
Expected signal: Security Event ID 7045 (Service Control Manager: new service installed) with ServiceName=ArgusTestHV, ServiceType=kernel driver, StartType=boot start, ServiceFileName=C:\Windows\System32\drivers\argus_hv_test.sys. Sysmon Event ID 13 (Registry value set) for HKLM\SYSTEM\CurrentControlSet\Services\ArgusTestHV entries including ImagePath, Start (value 0 = boot), and Type.
Test 4Drop Suspicious Driver File to System32\drivers (Staging Simulation)
Expected signal: Sysmon Event ID 11 (File Create) with TargetFilename=C:\Windows\System32\drivers\xentest.sys and Image=cmd.exe or powershell.exe. The file will be created but is a renamed benign executable — SHA256 will match notepad.exe.
Test 5Enable Test Signing Mode (Unsigned Driver Loading Prerequisite)
Expected signal: Sysmon Event ID 1: Process Create with Image=bcdedit.exe, CommandLine='bcdedit /set testsigning on'. Security Event ID 4688 with same content. Windows boot splash screen will show 'Test Mode' watermark after next reboot. Microsoft-Windows-CodeIntegrity/Operational logs policy change.

Last updated: 2026-04-16 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1062 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Related Techniques

T1014Rootkit T1542.001System Firmware T1542.003Bootkit T1543.003Windows Service T1547.001Registry Run Keys / Startup Folder T1553.006Code Signing Policy Modification T1574.010Services File Permissions Weakness T1497Virtualization/Sandbox Evasion

Detect Hypervisor in Sumo Logic CSE

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1062

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Persistence

Popular Detections

MITRE ATT&CK

Sumo Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1062

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Persistence

Popular Detections

Get new detections in your inbox