T1564.006 Microsoft Sentinel · KQL

Detect Run Virtual Instance in Microsoft Sentinel

Adversaries may carry out malicious operations using a virtual instance to avoid detection. By running malicious code inside a VM, adversaries hide artifacts from security tools that cannot monitor guest activity. Ransomware groups (Maze, Ragnar Locker) used VirtualBox with shared folders mapped to host drives to encrypt files while evading endpoint protection. LoudMiner ran XMRig inside QEMU/VirtualBox Linux VMs for cryptomining. On ESXi, adversaries create rogue VMs via /bin/vmx directly, bypassing vCenter visibility checks. Windows Sandbox .wsb configuration files support LogonCommand payloads and MappedFolder host filesystem access, abused by MirrorFace APT. The CronTrap campaign used QEMU to stage malware inside emulated Linux environments on Windows hosts.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.006 Run Virtual Instance
Canonical reference
https://attack.mitre.org/techniques/T1564/006/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let VirtBinaries = dynamic([
    "VBoxHeadless.exe", "VBoxSVC.exe", "VBoxManage.exe", "VirtualBox.exe", "VBoxSDL.exe",
    "qemu-system-x86_64.exe", "qemu-system-i386.exe", "qemu-system-aarch64.exe",
    "qemu-img.exe", "vmrun.exe", "WindowsSandbox.exe"
]);
let SuspiciousParents = dynamic([
    "powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe",
    "mshta.exe", "rundll32.exe", "regsvr32.exe", "schtasks.exe",
    "winword.exe", "excel.exe", "outlook.exe", "acrord32.exe"
]);
let LegitPaths = dynamic([
    "\\Program Files\\Oracle\\",
    "\\Program Files (x86)\\Oracle\\",
    "\\Program Files\\VMware\\",
    "\\Program Files (x86)\\VMware\\",
    "\\Program Files\\QEMU\\",
    "\\Windows\\System32\\",
    "\\Windows\\SysWOW64\\"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName has_any (VirtBinaries)
      or (ProcessCommandLine has ".wsb" and FileName !~ "explorer.exe")
| extend HeadlessMode = ProcessCommandLine has_any ("--headless", "--type headless", "--startvm", "-headless", "-nographic")
| extend SharedFolderConfig = ProcessCommandLine has_any ("sharedfolder add", "MappedFolder", "sharedlocation", "-virtfs", "--shared")
| extend SuspiciousParent = InitiatingProcessFileName has_any (SuspiciousParents)
| extend UnexpectedPath = FileName has_any (VirtBinaries) and not(FolderPath has_any (LegitPaths))
| extend WsbInvocation = ProcessCommandLine has ".wsb"
| extend SuspicionScore = toint(HeadlessMode) + toint(SharedFolderConfig)
      + toint(SuspiciousParent) + toint(UnexpectedPath) + toint(WsbInvocation)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine,
         HeadlessMode, SharedFolderConfig, SuspiciousParent, UnexpectedPath, WsbInvocation, SuspicionScore
| sort by SuspicionScore desc, Timestamp desc
high severity medium confidence

Detects virtualization software execution on Windows endpoints using Microsoft Defender for Endpoint DeviceProcessEvents. Identifies VirtualBox (VBoxHeadless, VBoxManage, VBoxSVC), QEMU, VMware vmrun, and Windows Sandbox execution. Scores alerts across four indicators: headless/nographic mode (preferred by ransomware operators), shared folder configuration (used to access host filesystem), execution from unexpected parent processes (document editors, scripting hosts), and binaries running outside standard installation paths. Windows Sandbox .wsb file invocations are flagged separately as a lower-prevalence but high-fidelity indicator.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Developers and QA engineers running VirtualBox or VMware Workstation headlessly as part of automated build/test pipelines (e.g., Vagrant, Packer)
  • IT administrators using VBoxManage to manage shared folders for legitimate remote work or file transfer workflows
  • Security researchers or blue teams running malware analysis VMs headlessly in an isolated lab environment
  • Enterprise sandbox solutions (Bromium, Sandboxie) that legitimately invoke virtualization components from management processes
  • Windows Sandbox used for legitimate application compatibility testing or software evaluation by power users
Download portable Sigma rule (.yml)

Other platforms for T1564.006

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Sandbox .wsb Execution with MappedFolder and LogonCommand

    Expected signal: Sysmon Event ID 1: Process Create with Image=WindowsSandbox.exe, CommandLine containing 'argus_test_T1564006.wsb'. Sysmon Event ID 11: File Create for the .wsb file in %TEMP%. Security Event ID 4688 (if command-line auditing enabled) for the PowerShell process writing the .wsb file.

  2. Test 2VBoxManage Shared Folder Add Targeting Host Root Drive

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\Oracle\VirtualBox\VBoxManage.exe, CommandLine containing 'sharedfolder add' and '--hostpath C:\' and '--automount'. The command returns an error (VM not found) but the process creation event is generated.

  3. Test 3QEMU Headless Execution from Non-Standard Path

    Expected signal: Sysmon Event ID 11: File Create for svchost32.exe in %TEMP% (copy of QEMU binary). Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost32.exe, CommandLine containing '-nographic -m 64 -snapshot'. The QEMU binary copy will also generate a DeviceFileEvents entry in MDE.

  4. Test 4QEMU Virtual Machine Execution on Linux

    Expected signal: Syslog/auditd: process creation for qemu-system-x86_64 with arguments '-m 64 -nographic -snapshot -hda /dev/null'. Linux auditd EXECVE syscall event showing full argument list. If using Defender for Endpoint Linux agent: DeviceProcessEvents entry with FileName=qemu-system-x86_64 and ProcessCommandLine containing '-nographic'.

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1564.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1037.004RC ScriptsT1486Data Encrypted for ImpactT1496Resource HijackingT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1562.001Disable or Modify ToolsT1204.002Malicious FileT1543.003Windows Service

Same Tactic: Defense Evasion

Popular Detections