Detect Run Virtual Instance in IBM QRadar
Adversaries may carry out malicious operations using a virtual instance to avoid detection. By running malicious code inside a VM, adversaries hide artifacts from security tools that cannot monitor guest activity. Ransomware groups (Maze, Ragnar Locker) used VirtualBox with shared folders mapped to host drives to encrypt files while evading endpoint protection. LoudMiner ran XMRig inside QEMU/VirtualBox Linux VMs for cryptomining. On ESXi, adversaries create rogue VMs via /bin/vmx directly, bypassing vCenter visibility checks. Windows Sandbox .wsb configuration files support LogonCommand payloads and MappedFolder host filesystem access, abused by MirrorFace APT. The CronTrap campaign used QEMU to stage malware inside emulated Linux environments on Windows hosts.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1564 Hide Artifacts
- Sub-technique
- T1564.006 Run Virtual Instance
- Canonical reference
- https://attack.mitre.org/techniques/T1564/006/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourceid,
LOGSOURCENAME(logsourceid) AS log_source,
sourceip,
username,
QIDNAME(qid) AS event_name,
"processname",
"commandline",
"parentprocessname",
CASE
WHEN LOWER("commandline") MATCHES '.*(--(headless|type headless|startvm)|-headless|-nographic).*' THEN 1
ELSE 0
END AS headless_mode,
CASE
WHEN LOWER("commandline") MATCHES '.*(sharedfolder add|mappedfolder|sharedlocation|-virtfs|--shared).*' THEN 1
ELSE 0
END AS shared_folder_config,
CASE
WHEN LOWER("parentprocessname") MATCHES '.*(powershell\.exe|pwsh\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|winword\.exe|excel\.exe|outlook\.exe|acrord32\.exe)' THEN 1
ELSE 0
END AS suspicious_parent,
CASE
WHEN LOWER("processname") MATCHES '.*(vboxheadless|vboxmanage|vboxsvc|virtualbox|vboxsdl|qemu-system|qemu-img|vmrun|windowssandbox)\.exe'
AND NOT LOWER("processpath") MATCHES '.*(program files\\(oracle|vmware|qemu|windows sandbox)|windows\\system32|windows\\syswow64).*' THEN 1
ELSE 0
END AS unexpected_path,
CASE
WHEN LOWER("commandline") MATCHES '.*\.wsb.*' THEN 1
ELSE 0
END AS wsb_invocation
FROM events
WHERE
LOGSOURCETYPEID IN (12, 13, 14, 15) -- Windows Security/Sysmon log sources
AND (
LOWER("processname") MATCHES '.*(vboxheadless|vboxmanage|vboxsvc|virtualbox|vboxsdl|qemu-system-x86_64|qemu-system-i386|qemu-system-aarch64|qemu-img|vmrun|windowssandbox)\.exe'
OR LOWER("commandline") MATCHES '.*\.wsb.*'
)
AND devicetime > (CURRENT_TIMESTAMP - 86400000)
ORDER BY
(headless_mode + shared_folder_config + suspicious_parent + unexpected_path + wsb_invocation) DESC,
devicetime DESC
LAST 24 HOURSQRadar AQL query detecting virtual instance execution (VirtualBox, QEMU, VMware, Windows Sandbox) with risk scoring for headless mode, shared folder configuration, suspicious parent process, unexpected installation path, and .wsb file invocation. Targets Windows Security and Sysmon log sources.
Data Sources
Required Tables
False Positives & Tuning
- Enterprise virtual desktop infrastructure (VDI) solutions that legitimately execute VBoxHeadless.exe or vmrun.exe from automated management scripts
- Developer workstations with VirtualBox or QEMU installed to non-default paths by package managers (Chocolatey, Scoop, winget)
- Security operations platforms that use Windows Sandbox .wsb configurations for malware detonation in a controlled manner
Other platforms for T1564.006
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Windows Sandbox .wsb Execution with MappedFolder and LogonCommand
Expected signal: Sysmon Event ID 1: Process Create with Image=WindowsSandbox.exe, CommandLine containing 'argus_test_T1564006.wsb'. Sysmon Event ID 11: File Create for the .wsb file in %TEMP%. Security Event ID 4688 (if command-line auditing enabled) for the PowerShell process writing the .wsb file.
- Test 2VBoxManage Shared Folder Add Targeting Host Root Drive
Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\Oracle\VirtualBox\VBoxManage.exe, CommandLine containing 'sharedfolder add' and '--hostpath C:\' and '--automount'. The command returns an error (VM not found) but the process creation event is generated.
- Test 3QEMU Headless Execution from Non-Standard Path
Expected signal: Sysmon Event ID 11: File Create for svchost32.exe in %TEMP% (copy of QEMU binary). Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost32.exe, CommandLine containing '-nographic -m 64 -snapshot'. The QEMU binary copy will also generate a DeviceFileEvents entry in MDE.
- Test 4QEMU Virtual Machine Execution on Linux
Expected signal: Syslog/auditd: process creation for qemu-system-x86_64 with arguments '-m 64 -nographic -snapshot -hda /dev/null'. Linux auditd EXECVE syscall event showing full argument list. If using Defender for Endpoint Linux agent: DeviceProcessEvents entry with FileName=qemu-system-x86_64 and ProcessCommandLine containing '-nographic'.
References (10)
- https://attack.mitre.org/techniques/T1564/006/
- https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
- https://cybercx.com.au/blog/akira-ransomware/
- https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/
- https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/
- https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b
- https://vninja.net/2024/11/11/beware-of-the-rogue-vms/
- https://blog-en.itochuci.co.jp/entry/2025/03/12/140000
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md
- https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file
Unlock Pro Content
Get the full detection package for T1564.006 including response playbook, investigation guide, and atomic red team tests.