T1564.006 Google Chronicle · YARA-L

Detect Run Virtual Instance in Google Chronicle

Adversaries may carry out malicious operations using a virtual instance to avoid detection. By running malicious code inside a VM, adversaries hide artifacts from security tools that cannot monitor guest activity. Ransomware groups (Maze, Ragnar Locker) used VirtualBox with shared folders mapped to host drives to encrypt files while evading endpoint protection. LoudMiner ran XMRig inside QEMU/VirtualBox Linux VMs for cryptomining. On ESXi, adversaries create rogue VMs via /bin/vmx directly, bypassing vCenter visibility checks. Windows Sandbox .wsb configuration files support LogonCommand payloads and MappedFolder host filesystem access, abused by MirrorFace APT. The CronTrap campaign used QEMU to stage malware inside emulated Linux environments on Windows hosts.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.006 Run Virtual Instance
Canonical reference
https://attack.mitre.org/techniques/T1564/006/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1564_006_run_virtual_instance {
  meta:
    author = "df00tech"
    description = "Detects execution of virtualization binaries (VirtualBox, QEMU, VMware, Windows Sandbox) from unexpected paths or spawned by suspicious parents, indicative of T1564.006 Run Virtual Instance evasion."
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1564.006"
    severity = "HIGH"
    confidence = "HIGH"
    version = "1.0"
    created = "2026-04-21"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)(VBoxHeadless|VBoxManage|VBoxSVC|VirtualBox|VBoxSDL|qemu-system-x86_64|qemu-system-i386|qemu-system-aarch64|qemu-img|vmrun|WindowsSandbox)\.exe$`)
      or re.regex($e.target.process.command_line, `(?i)\.wsb`)
    )
    not re.regex($e.target.process.file.full_path, `(?i)(Program Files\\(Oracle|VMware|QEMU|Windows Sandbox)|Windows\\System32|Windows\\SysWOW64)`)

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if(re.regex($e.target.process.command_line, `(?i)(--headless|--type\s+headless|--startvm|-headless|-nographic)`), 20, 0) +
      if(re.regex($e.target.process.command_line, `(?i)(sharedfolder\s+add|MappedFolder|sharedlocation|-virtfs|--shared)`), 25, 0) +
      if(re.regex($e.principal.process.file.full_path, `(?i)(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|winword|excel|outlook|acrord32)\.exe$`), 30, 0) +
      if(re.regex($e.target.process.command_line, `(?i)\.wsb`), 20, 0) +
      5
    )
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $process_path = $e.target.process.file.full_path
    $command_line = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path

  condition:
    $e and $risk_score >= 25
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting virtual instance execution for defense evasion (T1564.006). Matches PROCESS_LAUNCH events where virtualization binaries run from non-standard paths or are invoked by suspicious parent processes. Uses UDM fields with risk scoring for headless mode, shared folder access, suspicious parent chain, and .wsb invocation.

Data Sources

Google Chronicle UDMWindows Event Logs forwarded to ChronicleChronicle Forwarder (Sysmon)

Required Tables

UDM Events (PROCESS_LAUNCH type)

False Positives & Tuning

  • Legitimate virtualization administrators running VBoxManage or QEMU commands via scripted automation tools that appear in the suspicious parent list
  • Software testing pipelines that invoke Windows Sandbox .wsb configurations from build automation scripts (cmd.exe or PowerShell)
  • Custom VirtualBox or QEMU installations to non-Program Files directories by package managers or portable application setups
Download portable Sigma rule (.yml)

Other platforms for T1564.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Sandbox .wsb Execution with MappedFolder and LogonCommand

    Expected signal: Sysmon Event ID 1: Process Create with Image=WindowsSandbox.exe, CommandLine containing 'argus_test_T1564006.wsb'. Sysmon Event ID 11: File Create for the .wsb file in %TEMP%. Security Event ID 4688 (if command-line auditing enabled) for the PowerShell process writing the .wsb file.

  2. Test 2VBoxManage Shared Folder Add Targeting Host Root Drive

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\Oracle\VirtualBox\VBoxManage.exe, CommandLine containing 'sharedfolder add' and '--hostpath C:\' and '--automount'. The command returns an error (VM not found) but the process creation event is generated.

  3. Test 3QEMU Headless Execution from Non-Standard Path

    Expected signal: Sysmon Event ID 11: File Create for svchost32.exe in %TEMP% (copy of QEMU binary). Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost32.exe, CommandLine containing '-nographic -m 64 -snapshot'. The QEMU binary copy will also generate a DeviceFileEvents entry in MDE.

  4. Test 4QEMU Virtual Machine Execution on Linux

    Expected signal: Syslog/auditd: process creation for qemu-system-x86_64 with arguments '-m 64 -nographic -snapshot -hda /dev/null'. Linux auditd EXECVE syscall event showing full argument list. If using Defender for Endpoint Linux agent: DeviceProcessEvents entry with FileName=qemu-system-x86_64 and ProcessCommandLine containing '-nographic'.

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1564.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1037.004RC ScriptsT1486Data Encrypted for ImpactT1496Resource HijackingT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1562.001Disable or Modify ToolsT1204.002Malicious FileT1543.003Windows Service

Same Tactic: Defense Evasion

Popular Detections