T1564.006 Splunk · SPL

Detect Run Virtual Instance in Splunk

Adversaries may carry out malicious operations using a virtual instance to avoid detection. By running malicious code inside a VM, adversaries hide artifacts from security tools that cannot monitor guest activity. Ransomware groups (Maze, Ragnar Locker) used VirtualBox with shared folders mapped to host drives to encrypt files while evading endpoint protection. LoudMiner ran XMRig inside QEMU/VirtualBox Linux VMs for cryptomining. On ESXi, adversaries create rogue VMs via /bin/vmx directly, bypassing vCenter visibility checks. Windows Sandbox .wsb configuration files support LogonCommand payloads and MappedFolder host filesystem access, abused by MirrorFace APT. The CronTrap campaign used QEMU to stage malware inside emulated Linux environments on Windows hosts.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.006 Run Virtual Instance
Canonical reference
https://attack.mitre.org/techniques/T1564/006/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (Image="*\\VBoxHeadless.exe" OR Image="*\\VBoxManage.exe" OR Image="*\\VBoxSVC.exe"
   OR Image="*\\VirtualBox.exe" OR Image="*\\VBoxSDL.exe"
   OR Image="*\\qemu-system-x86_64.exe" OR Image="*\\qemu-system-i386.exe"
   OR Image="*\\qemu-system-aarch64.exe" OR Image="*\\qemu-img.exe"
   OR Image="*\\vmrun.exe" OR Image="*\\WindowsSandbox.exe"
   OR CommandLine="*.wsb*")
| eval HeadlessMode=if(match(CommandLine, "(--headless|--type\s+headless|--startvm|-headless|-nographic)"), 1, 0)
| eval SharedFolderConfig=if(match(CommandLine, "(sharedfolder\s+add|MappedFolder|sharedlocation|-virtfs|--shared)"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(\\\\powershell\.exe$|\\\\pwsh\.exe$|\\\\cmd\.exe$|\\\\wscript\.exe$|\\\\cscript\.exe$|\\\\mshta\.exe$|\\\\rundll32\.exe$|\\\\regsvr32\.exe$|\\\\winword\.exe$|\\\\excel\.exe$|\\\\outlook\.exe$|\\\\acrord32\.exe$)"), 1, 0)
| eval UnexpectedPath=if(NOT match(Image, "(?i)(\\\\Program Files\\\\(Oracle|VMware|QEMU|Windows Sandbox)|\\\\Windows\\\\System32|\\\\Windows\\\\SysWOW64)"), 1, 0)
| eval WsbInvocation=if(match(CommandLine, "(?i)\.wsb"), 1, 0)
| eval SuspicionScore=HeadlessMode + SharedFolderConfig + SuspiciousParent + UnexpectedPath + WsbInvocation
| where SuspicionScore > 0
| table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, HeadlessMode, SharedFolderConfig, SuspiciousParent, UnexpectedPath, WsbInvocation, SuspicionScore
| sort - SuspicionScore, - _time
high severity medium confidence

Detects virtual instance execution using Sysmon Event ID 1 (Process Creation). Covers VirtualBox, QEMU, VMware vmrun, and Windows Sandbox invocations. Assigns a cumulative suspicion score across five indicators: headless/nographic mode, shared folder configuration commands, suspicious parent processes (script hosts, Office apps), binary execution outside standard install paths, and .wsb file invocations. Score > 1 indicates high-confidence malicious activity; score = 1 may reflect legitimate developer tooling requiring analyst review.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Developers and QA engineers running VirtualBox or VMware Workstation headlessly as part of automated build/test pipelines (e.g., Vagrant, Packer)
  • IT administrators using VBoxManage to manage shared folders for legitimate remote work or file transfer workflows
  • Security researchers or blue teams running malware analysis VMs headlessly in an isolated lab environment
  • Enterprise sandbox solutions (Bromium, Sandboxie) that legitimately invoke virtualization components from management processes
  • Windows Sandbox used for legitimate application compatibility testing or software evaluation by power users
Download portable Sigma rule (.yml)

Other platforms for T1564.006

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Sandbox .wsb Execution with MappedFolder and LogonCommand

    Expected signal: Sysmon Event ID 1: Process Create with Image=WindowsSandbox.exe, CommandLine containing 'argus_test_T1564006.wsb'. Sysmon Event ID 11: File Create for the .wsb file in %TEMP%. Security Event ID 4688 (if command-line auditing enabled) for the PowerShell process writing the .wsb file.

  2. Test 2VBoxManage Shared Folder Add Targeting Host Root Drive

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\Oracle\VirtualBox\VBoxManage.exe, CommandLine containing 'sharedfolder add' and '--hostpath C:\' and '--automount'. The command returns an error (VM not found) but the process creation event is generated.

  3. Test 3QEMU Headless Execution from Non-Standard Path

    Expected signal: Sysmon Event ID 11: File Create for svchost32.exe in %TEMP% (copy of QEMU binary). Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost32.exe, CommandLine containing '-nographic -m 64 -snapshot'. The QEMU binary copy will also generate a DeviceFileEvents entry in MDE.

  4. Test 4QEMU Virtual Machine Execution on Linux

    Expected signal: Syslog/auditd: process creation for qemu-system-x86_64 with arguments '-m 64 -nographic -snapshot -hda /dev/null'. Linux auditd EXECVE syscall event showing full argument list. If using Defender for Endpoint Linux agent: DeviceProcessEvents entry with FileName=qemu-system-x86_64 and ProcessCommandLine containing '-nographic'.

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1564.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1037.004RC ScriptsT1486Data Encrypted for ImpactT1496Resource HijackingT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1562.001Disable or Modify ToolsT1204.002Malicious FileT1543.003Windows Service

Same Tactic: Defense Evasion

Popular Detections