Detect Run Virtual Instance in Elastic Security
Adversaries may carry out malicious operations using a virtual instance to avoid detection. By running malicious code inside a VM, adversaries hide artifacts from security tools that cannot monitor guest activity. Ransomware groups (Maze, Ragnar Locker) used VirtualBox with shared folders mapped to host drives to encrypt files while evading endpoint protection. LoudMiner ran XMRig inside QEMU/VirtualBox Linux VMs for cryptomining. On ESXi, adversaries create rogue VMs via /bin/vmx directly, bypassing vCenter visibility checks. Windows Sandbox .wsb configuration files support LogonCommand payloads and MappedFolder host filesystem access, abused by MirrorFace APT. The CronTrap campaign used QEMU to stage malware inside emulated Linux environments on Windows hosts.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.006 Run Virtual Instance
- Canonical reference
- https://attack.mitre.org/techniques/T1564/006/
Elastic Detection Query
process where event.type == "start" and (
process.name in ("VBoxHeadless.exe", "VBoxSVC.exe", "VBoxManage.exe", "VirtualBox.exe", "VBoxSDL.exe",
"qemu-system-x86_64.exe", "qemu-system-i386.exe", "qemu-system-aarch64.exe",
"qemu-img.exe", "vmrun.exe", "WindowsSandbox.exe")
or process.args : ("*.wsb")
) and not process.executable : (
"C:\\Program Files\\Oracle\\*",
"C:\\Program Files (x86)\\Oracle\\*",
"C:\\Program Files\\VMware\\*",
"C:\\Program Files (x86)\\VMware\\*",
"C:\\Program Files\\QEMU\\*",
"C:\\Windows\\System32\\*",
"C:\\Windows\\SysWOW64\\*"
)
| eval headless_mode = process.args : ("*--headless*", "*--type headless*", "*--startvm*", "*-headless*", "*-nographic*")
| eval shared_folder = process.args : ("*sharedfolder add*", "*MappedFolder*", "*sharedlocation*", "*-virtfs*", "*--shared*")
| eval suspicious_parent = process.parent.name in ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe",
"cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe",
"schtasks.exe", "winword.exe", "excel.exe", "outlook.exe", "acrord32.exe")Detects execution of virtualization binaries (VirtualBox, QEMU, VMware, Windows Sandbox) from unexpected paths or spawned by suspicious parent processes, indicative of adversaries using virtual instances to evade endpoint detection. Scores each event for headless mode, shared folder config, suspicious parent, unexpected install path, and .wsb invocation.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate developers running VirtualBox or QEMU from non-standard directories during development or testing
- IT administrators using vmrun.exe or VBoxManage.exe via automation scripts (PowerShell/CMD) for infrastructure provisioning
- Security researchers or sandboxing platforms legitimately invoking Windows Sandbox (.wsb files) from scripted workflows
Other platforms for T1564.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Sandbox .wsb Execution with MappedFolder and LogonCommand
Expected signal: Sysmon Event ID 1: Process Create with Image=WindowsSandbox.exe, CommandLine containing 'argus_test_T1564006.wsb'. Sysmon Event ID 11: File Create for the .wsb file in %TEMP%. Security Event ID 4688 (if command-line auditing enabled) for the PowerShell process writing the .wsb file.
- Test 2VBoxManage Shared Folder Add Targeting Host Root Drive
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\Oracle\VirtualBox\VBoxManage.exe, CommandLine containing 'sharedfolder add' and '--hostpath C:\' and '--automount'. The command returns an error (VM not found) but the process creation event is generated.
- Test 3QEMU Headless Execution from Non-Standard Path
Expected signal: Sysmon Event ID 11: File Create for svchost32.exe in %TEMP% (copy of QEMU binary). Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost32.exe, CommandLine containing '-nographic -m 64 -snapshot'. The QEMU binary copy will also generate a DeviceFileEvents entry in MDE.
- Test 4QEMU Virtual Machine Execution on Linux
Expected signal: Syslog/auditd: process creation for qemu-system-x86_64 with arguments '-m 64 -nographic -snapshot -hda /dev/null'. Linux auditd EXECVE syscall event showing full argument list. If using Defender for Endpoint Linux agent: DeviceProcessEvents entry with FileName=qemu-system-x86_64 and ProcessCommandLine containing '-nographic'.
References (10)
- https://attack.mitre.org/techniques/T1564/006/
- https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
- https://cybercx.com.au/blog/akira-ransomware/
- https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/
- https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/
- https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b
- https://vninja.net/2024/11/11/beware-of-the-rogue-vms/
- https://blog-en.itochuci.co.jp/entry/2025/03/12/140000
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md
- https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file
Unlock Pro Content
Get the full detection package for T1564.006 including response playbook, investigation guide, and atomic red team tests.