Detect Run Virtual Instance in CrowdStrike LogScale
Adversaries may carry out malicious operations using a virtual instance to avoid detection. By running malicious code inside a VM, adversaries hide artifacts from security tools that cannot monitor guest activity. Ransomware groups (Maze, Ragnar Locker) used VirtualBox with shared folders mapped to host drives to encrypt files while evading endpoint protection. LoudMiner ran XMRig inside QEMU/VirtualBox Linux VMs for cryptomining. On ESXi, adversaries create rogue VMs via /bin/vmx directly, bypassing vCenter visibility checks. Windows Sandbox .wsb configuration files support LogonCommand payloads and MappedFolder host filesystem access, abused by MirrorFace APT. The CronTrap campaign used QEMU to stage malware inside emulated Linux environments on Windows hosts.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.006 Run Virtual Instance
- Canonical reference
- https://attack.mitre.org/techniques/T1564/006/
LogScale Detection Query
#event_simpleName="ProcessRollup2"
| ImageFileName = /(?i)(VBoxHeadless|VBoxManage|VBoxSVC|VirtualBox|VBoxSDL|qemu-system-x86_64|qemu-system-i386|qemu-system-aarch64|qemu-img|vmrun|WindowsSandbox)\.exe$/
OR CommandLine = /(?i)\.wsb/
| eval HeadlessMode = if(CommandLine = /(?i)(--headless|--type\s+headless|--startvm|-headless|-nographic)/, 1, 0)
| eval SharedFolderConfig = if(CommandLine = /(?i)(sharedfolder\s+add|MappedFolder|sharedlocation|-virtfs|--shared)/, 1, 0)
| eval SuspiciousParent = if(ParentBaseFileName = /(?i)^(powershell|pwsh|cmd|wscript|cscript|mshta|rundll32|regsvr32|schtasks|winword|excel|outlook|acrord32)\.exe$/, 1, 0)
| eval UnexpectedPath = if(ImageFileName != /(?i)(Program Files\\(Oracle|VMware|QEMU|Windows Sandbox)|Windows\\System32|Windows\\SysWOW64)/, 1, 0)
| eval WsbInvocation = if(CommandLine = /(?i)\.wsb/, 1, 0)
| eval SuspicionScore = HeadlessMode + SharedFolderConfig + SuspiciousParent + UnexpectedPath + WsbInvocation
| where SuspicionScore > 0
| groupBy([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, HeadlessMode, SharedFolderConfig, SuspiciousParent, UnexpectedPath, WsbInvocation, SuspicionScore], function=count(as=EventCount))
| sort(SuspicionScore, order=desc)
| select([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, HeadlessMode, SharedFolderConfig, SuspiciousParent, UnexpectedPath, WsbInvocation, SuspicionScore, EventCount])CrowdStrike LogScale (Falcon CQL) query using ProcessRollup2 events to detect virtual instance execution (VirtualBox, QEMU, VMware, Windows Sandbox) indicative of T1564.006 defense evasion. Applies risk scoring for headless execution, shared folder mapping, suspicious parent process, non-standard path, and .wsb invocation using Falcon telemetry fields.
Data Sources
Required Tables
False Positives & Tuning
- Managed service providers using VBoxManage.exe or vmrun.exe via remote management scripts that execute through cmd.exe or PowerShell on endpoints
- Security product testing workflows where WindowsSandbox.exe is invoked programmatically via schtasks.exe or scripting engines for automated environment provisioning
- Portable QEMU installations placed in user-writable directories by security researchers or CTF participants on managed endpoints
Other platforms for T1564.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Sandbox .wsb Execution with MappedFolder and LogonCommand
Expected signal: Sysmon Event ID 1: Process Create with Image=WindowsSandbox.exe, CommandLine containing 'argus_test_T1564006.wsb'. Sysmon Event ID 11: File Create for the .wsb file in %TEMP%. Security Event ID 4688 (if command-line auditing enabled) for the PowerShell process writing the .wsb file.
- Test 2VBoxManage Shared Folder Add Targeting Host Root Drive
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\Oracle\VirtualBox\VBoxManage.exe, CommandLine containing 'sharedfolder add' and '--hostpath C:\' and '--automount'. The command returns an error (VM not found) but the process creation event is generated.
- Test 3QEMU Headless Execution from Non-Standard Path
Expected signal: Sysmon Event ID 11: File Create for svchost32.exe in %TEMP% (copy of QEMU binary). Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost32.exe, CommandLine containing '-nographic -m 64 -snapshot'. The QEMU binary copy will also generate a DeviceFileEvents entry in MDE.
- Test 4QEMU Virtual Machine Execution on Linux
Expected signal: Syslog/auditd: process creation for qemu-system-x86_64 with arguments '-m 64 -nographic -snapshot -hda /dev/null'. Linux auditd EXECVE syscall event showing full argument list. If using Defender for Endpoint Linux agent: DeviceProcessEvents entry with FileName=qemu-system-x86_64 and ProcessCommandLine containing '-nographic'.
References (10)
- https://attack.mitre.org/techniques/T1564/006/
- https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
- https://cybercx.com.au/blog/akira-ransomware/
- https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/
- https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/
- https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b
- https://vninja.net/2024/11/11/beware-of-the-rogue-vms/
- https://blog-en.itochuci.co.jp/entry/2025/03/12/140000
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md
- https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file
Unlock Pro Content
Get the full detection package for T1564.006 including response playbook, investigation guide, and atomic red team tests.