T1564.006

Run Virtual Instance

Adversaries may carry out malicious operations using a virtual instance to avoid detection. By running malicious code inside a VM, adversaries hide artifacts from security tools that cannot monitor guest activity. Ransomware groups (Maze, Ragnar Locker) used VirtualBox with shared folders mapped to host drives to encrypt files while evading endpoint protection. LoudMiner ran XMRig inside QEMU/VirtualBox Linux VMs for cryptomining. On ESXi, adversaries create rogue VMs via /bin/vmx directly, bypassing vCenter visibility checks. Windows Sandbox .wsb configuration files support LogonCommand payloads and MappedFolder host filesystem access, abused by MirrorFace APT. The CronTrap campaign used QEMU to stage malware inside emulated Linux environments on Windows hosts.

Microsoft Sentinel / Defender

kusto

let VirtBinaries = dynamic([
    "VBoxHeadless.exe", "VBoxSVC.exe", "VBoxManage.exe", "VirtualBox.exe", "VBoxSDL.exe",
    "qemu-system-x86_64.exe", "qemu-system-i386.exe", "qemu-system-aarch64.exe",
    "qemu-img.exe", "vmrun.exe", "WindowsSandbox.exe"
]);
let SuspiciousParents = dynamic([
    "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "schtasks.exe",
    "winword.exe", "excel.exe", "outlook.exe", "acrord32.exe"
]);
let LegitPaths = dynamic([
    "\\Program Files\\Oracle\\",
    "\\Program Files (x86)\\Oracle\\",
    "\\Program Files\\VMware\\",
    "\\Program Files (x86)\\VMware\\",
    "\\Program Files\\QEMU\\",
    "\\Windows\\System32\\",
    "\\Windows\\SysWOW64\\"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (VirtBinaries)
      or (ProcessCommandLine has ".wsb" and FileName !~ "explorer.exe")
| extend HeadlessMode = ProcessCommandLine has_any ("--headless", "--type headless", "--startvm", "-headless", "-nographic")
| extend SharedFolderConfig = ProcessCommandLine has_any ("sharedfolder add", "MappedFolder", "sharedlocation", "-virtfs", "--shared")
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend UnexpectedPath = FileName has_any (VirtBinaries) and not(FolderPath has_any (LegitPaths))
| extend WsbInvocation = ProcessCommandLine has ".wsb"
| extend SuspicionScore = toint(HeadlessMode) + toint(SharedFolderConfig)
      + toint(SuspiciousParent) + toint(UnexpectedPath) + toint(WsbInvocation)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         HeadlessMode, SharedFolderConfig, SuspiciousParent, UnexpectedPath, WsbInvocation, SuspicionScore
| sort by SuspicionScore desc, Timestamp desc

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Developers and QA engineers running VirtualBox or VMware Workstation headlessly as part of automated build/test pipelines (e.g., Vagrant, Packer)
IT administrators using VBoxManage to manage shared folders for legitimate remote work or file transfer workflows
Security researchers or blue teams running malware analysis VMs headlessly in an isolated lab environment
Enterprise sandbox solutions (Bromium, Sandboxie) that legitimately invoke virtualization components from management processes
Windows Sandbox used for legitimate application compatibility testing or software evaluation by power users

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\VBoxHeadless.exe" OR Image="*\\VBoxManage.exe" OR Image="*\\VBoxSVC.exe"
   OR Image="*\\VirtualBox.exe" OR Image="*\\VBoxSDL.exe"
   OR Image="*\\qemu-system-x86_64.exe" OR Image="*\\qemu-system-i386.exe"
   OR Image="*\\qemu-system-aarch64.exe" OR Image="*\\qemu-img.exe"
   OR Image="*\\vmrun.exe" OR Image="*\\WindowsSandbox.exe"
   OR CommandLine="*.wsb*")
| eval HeadlessMode=if(match(CommandLine, "(--headless|--type\s+headless|--startvm|-headless|-nographic)"), 1, 0)
| eval SharedFolderConfig=if(match(CommandLine, "(sharedfolder\s+add|MappedFolder|sharedlocation|-virtfs|--shared)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(\\\\powershell\.exe$|\\\\pwsh\.exe$|\\\\cmd\.exe$|\\\\wscript\.exe$|\\\\cscript\.exe$|\\\\mshta\.exe$|\\\\rundll32\.exe$|\\\\regsvr32\.exe$|\\\\winword\.exe$|\\\\excel\.exe$|\\\\outlook\.exe$|\\\\acrord32\.exe$)"), 1, 0)
| eval UnexpectedPath=if(NOT match(Image, "(?i)(\\\\Program Files\\\\(Oracle|VMware|QEMU|Windows Sandbox)|\\\\Windows\\\\System32|\\\\Windows\\\\SysWOW64)"), 1, 0)
| eval WsbInvocation=if(match(CommandLine, "(?i)\.wsb"), 1, 0)
| eval SuspicionScore=HeadlessMode + SharedFolderConfig + SuspiciousParent + UnexpectedPath + WsbInvocation
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, HeadlessMode, SharedFolderConfig, SuspiciousParent, UnexpectedPath, WsbInvocation, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Developers and QA engineers running VirtualBox or VMware Workstation headlessly as part of automated build/test pipelines (e.g., Vagrant, Packer)
IT administrators using VBoxManage to manage shared folders for legitimate remote work or file transfer workflows
Security researchers or blue teams running malware analysis VMs headlessly in an isolated lab environment
Enterprise sandbox solutions (Bromium, Sandboxie) that legitimately invoke virtualization components from management processes
Windows Sandbox used for legitimate application compatibility testing or software evaluation by power users

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS log_source,
  sourceip,
  username,
  QIDNAME(qid) AS event_name,
  "processname",
  "commandline",
  "parentprocessname",
  CASE
    WHEN LOWER("commandline") MATCHES '.*(--(headless|type headless|startvm)|-headless|-nographic).*' THEN 1
    ELSE 0
  END AS headless_mode,
  CASE
    WHEN LOWER("commandline") MATCHES '.*(sharedfolder add|mappedfolder|sharedlocation|-virtfs|--shared).*' THEN 1
    ELSE 0
  END AS shared_folder_config,
  CASE
    WHEN LOWER("parentprocessname") MATCHES '.*(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|winword\.exe|excel\.exe|outlook\.exe|acrord32\.exe)' THEN 1
    ELSE 0
  END AS suspicious_parent,
  CASE
    WHEN LOWER("processname") MATCHES '.*(vboxheadless|vboxmanage|vboxsvc|virtualbox|vboxsdl|qemu-system|qemu-img|vmrun|windowssandbox)\.exe'
    AND NOT LOWER("processpath") MATCHES '.*(program files\\(oracle|vmware|qemu|windows sandbox)|windows\\system32|windows\\syswow64).*' THEN 1
    ELSE 0
  END AS unexpected_path,
  CASE
    WHEN LOWER("commandline") MATCHES '.*\.wsb.*' THEN 1
    ELSE 0
  END AS wsb_invocation
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 13, 14, 15) -- Windows Security/Sysmon log sources
  AND (
    LOWER("processname") MATCHES '.*(vboxheadless|vboxmanage|vboxsvc|virtualbox|vboxsdl|qemu-system-x86_64|qemu-system-i386|qemu-system-aarch64|qemu-img|vmrun|windowssandbox)\.exe'
    OR LOWER("commandline") MATCHES '.*\.wsb.*'
  )
  AND devicetime > (CURRENT_TIMESTAMP - 86400000)
ORDER BY
  (headless_mode + shared_folder_config + suspicious_parent + unexpected_path + wsb_invocation) DESC,
  devicetime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

QRadar Windows Security Event Log DSM QRadar Sysmon DSM Microsoft Windows Security Event Log

Required Tables

events

False Positives

Enterprise virtual desktop infrastructure (VDI) solutions that legitimately execute VBoxHeadless.exe or vmrun.exe from automated management scripts
Developer workstations with VirtualBox or QEMU installed to non-default paths by package managers (Chocolatey, Scoop, winget)
Security operations platforms that use Windows Sandbox .wsb configurations for malware detonation in a controlled manner

Sumo Logic CSE

sql

_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| where EventID = "1" or EventID = "4688"
| where (
    Image matches "*\\VBoxHeadless.exe" OR Image matches "*\\VBoxManage.exe" OR
    Image matches "*\\VBoxSVC.exe" OR Image matches "*\\VirtualBox.exe" OR
    Image matches "*\\VBoxSDL.exe" OR Image matches "*\\qemu-system-x86_64.exe" OR
    Image matches "*\\qemu-system-i386.exe" OR Image matches "*\\qemu-system-aarch64.exe" OR
    Image matches "*\\qemu-img.exe" OR Image matches "*\\vmrun.exe" OR
    Image matches "*\\WindowsSandbox.exe" OR CommandLine matches "*.wsb*"
  )
| eval headless_mode = if(CommandLine matches "*--headless*" OR CommandLine matches "*--type headless*" OR
                          CommandLine matches "*--startvm*" OR CommandLine matches "*-headless*" OR
                          CommandLine matches "*-nographic*", 1, 0)
| eval shared_folder = if(CommandLine matches "*sharedfolder add*" OR CommandLine matches "*MappedFolder*" OR
                          CommandLine matches "*sharedlocation*" OR CommandLine matches "*-virtfs*" OR
                          CommandLine matches "*--shared*", 1, 0)
| eval suspicious_parent = if(ParentImage matches "*\\powershell.exe" OR ParentImage matches "*\\pwsh.exe" OR
                               ParentImage matches "*\\cmd.exe" OR ParentImage matches "*\\wscript.exe" OR
                               ParentImage matches "*\\cscript.exe" OR ParentImage matches "*\\mshta.exe" OR
                               ParentImage matches "*\\rundll32.exe" OR ParentImage matches "*\\regsvr32.exe" OR
                               ParentImage matches "*\\winword.exe" OR ParentImage matches "*\\excel.exe" OR
                               ParentImage matches "*\\outlook.exe" OR ParentImage matches "*\\acrord32.exe", 1, 0)
| eval unexpected_path = if(
    !(Image matches "*\\Program Files\\Oracle\\*" OR Image matches "*\\Program Files (x86)\\Oracle\\*" OR
      Image matches "*\\Program Files\\VMware\\*" OR Image matches "*\\Program Files\\QEMU\\*" OR
      Image matches "*\\Windows\\System32\\*" OR Image matches "*\\Windows\\SysWOW64\\*"), 1, 0)
| eval wsb_invocation = if(CommandLine matches "*.wsb*", 1, 0)
| eval suspicion_score = headless_mode + shared_folder + suspicious_parent + unexpected_path + wsb_invocation
| where suspicion_score > 0
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, headless_mode, shared_folder, suspicious_parent, unexpected_path, wsb_invocation, suspicion_score
| sort by suspicion_score desc, _time desc

high severity high confidence

Data Sources

Sumo Logic Sysmon Source (Windows Sysmon/Operational) Sumo Logic Windows Security Event Log

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

IT operations teams executing VBoxManage.exe from cmd.exe or PowerShell as part of legitimate VM lifecycle management scripts
Penetration testing teams or red team operators running virtualization tools from non-standard directories as part of authorized engagements
Enterprise application packaging workflows that use Windows Sandbox .wsb files to test software installations in isolated environments

Google Chronicle / SecOps

yaral

rule t1564_006_run_virtual_instance {
  meta:
    author = "df00tech"
    description = "Detects execution of virtualization binaries (VirtualBox, QEMU, VMware, Windows Sandbox) from unexpected paths or spawned by suspicious parents, indicative of T1564.006 Run Virtual Instance evasion."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1564.006"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-21"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(VBoxHeadless|VBoxManage|VBoxSVC|VirtualBox|VBoxSDL|qemu-system-x86_64|qemu-system-i386|qemu-system-aarch64|qemu-img|vmrun|WindowsSandbox)\.exe$`)
      or re.regex($e.target.process.command_line, `(?i)\.wsb`)
    )
    not re.regex($e.target.process.file.full_path, `(?i)(Program Files\\(Oracle|VMware|QEMU|Windows Sandbox)|Windows\\System32|Windows\\SysWOW64)`)

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(re.regex($e.target.process.command_line, `(?i)(--headless|--type\s+headless|--startvm|-headless|-nographic)`), 20, 0) +
      if(re.regex($e.target.process.command_line, `(?i)(sharedfolder\s+add|MappedFolder|sharedlocation|-virtfs|--shared)`), 25, 0) +
      if(re.regex($e.principal.process.file.full_path, `(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|winword|excel|outlook|acrord32)\.exe$`), 30, 0) +
      if(re.regex($e.target.process.command_line, `(?i)\.wsb`), 20, 0) +
      5
    )
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_path = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path

  condition:
    $e and $risk_score >= 25
}

high severity high confidence

Data Sources

Google Chronicle UDM Windows Event Logs forwarded to Chronicle Chronicle Forwarder (Sysmon)

Required Tables

UDM Events (PROCESS_LAUNCH type)

False Positives

Legitimate virtualization administrators running VBoxManage or QEMU commands via scripted automation tools that appear in the suspicious parent list
Software testing pipelines that invoke Windows Sandbox .wsb configurations from build automation scripts (cmd.exe or PowerShell)
Custom VirtualBox or QEMU installations to non-Program Files directories by package managers or portable application setups

CrowdStrike LogScale (CQL)

cql

#event_simpleName="ProcessRollup2"
| ImageFileName = /(?i)(VBoxHeadless|VBoxManage|VBoxSVC|VirtualBox|VBoxSDL|qemu-system-x86_64|qemu-system-i386|qemu-system-aarch64|qemu-img|vmrun|WindowsSandbox)\.exe$/
  OR CommandLine = /(?i)\.wsb/
| eval HeadlessMode = if(CommandLine = /(?i)(--headless|--type\s+headless|--startvm|-headless|-nographic)/, 1, 0)
| eval SharedFolderConfig = if(CommandLine = /(?i)(sharedfolder\s+add|MappedFolder|sharedlocation|-virtfs|--shared)/, 1, 0)
| eval SuspiciousParent = if(ParentBaseFileName = /(?i)^(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|schtasks|winword|excel|outlook|acrord32)\.exe$/, 1, 0)
| eval UnexpectedPath = if(ImageFileName != /(?i)(Program Files\\(Oracle|VMware|QEMU|Windows Sandbox)|Windows\\System32|Windows\\SysWOW64)/, 1, 0)
| eval WsbInvocation = if(CommandLine = /(?i)\.wsb/, 1, 0)
| eval SuspicionScore = HeadlessMode + SharedFolderConfig + SuspiciousParent + UnexpectedPath + WsbInvocation
| where SuspicionScore > 0
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, HeadlessMode, SharedFolderConfig, SuspiciousParent, UnexpectedPath, WsbInvocation, SuspicionScore], function=count(as=EventCount))
| sort(SuspicionScore, order=desc)
| select([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, HeadlessMode, SharedFolderConfig, SuspiciousParent, UnexpectedPath, WsbInvocation, SuspicionScore, EventCount])

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint (ProcessRollup2) Falcon Data Replicator (FDR)

Required Tables

ProcessRollup2

False Positives

Managed service providers using VBoxManage.exe or vmrun.exe via remote management scripts that execute through cmd.exe or PowerShell on endpoints
Security product testing workflows where WindowsSandbox.exe is invoked programmatically via schtasks.exe or scripting engines for automated environment provisioning
Portable QEMU installations placed in user-writable directories by security researchers or CTF participants on managed endpoints

Last updated: 2026-04-21 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1564.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Run Virtual Instance

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections