T1564.006 Sumo Logic CSE · Sumo

Detect Run Virtual Instance in Sumo Logic CSE

Adversaries may carry out malicious operations using a virtual instance to avoid detection. By running malicious code inside a VM, adversaries hide artifacts from security tools that cannot monitor guest activity. Ransomware groups (Maze, Ragnar Locker) used VirtualBox with shared folders mapped to host drives to encrypt files while evading endpoint protection. LoudMiner ran XMRig inside QEMU/VirtualBox Linux VMs for cryptomining. On ESXi, adversaries create rogue VMs via /bin/vmx directly, bypassing vCenter visibility checks. Windows Sandbox .wsb configuration files support LogonCommand payloads and MappedFolder host filesystem access, abused by MirrorFace APT. The CronTrap campaign used QEMU to stage malware inside emulated Linux environments on Windows hosts.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1564 Hide Artifacts
Sub-technique
T1564.006 Run Virtual Instance
Canonical reference
https://attack.mitre.org/techniques/T1564/006/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory="windows/sysmon" OR _sourceCategory="windows/security"
| where EventID = "1" or EventID = "4688"
| where (
    Image matches "*\\VBoxHeadless.exe" OR Image matches "*\\VBoxManage.exe" OR
    Image matches "*\\VBoxSVC.exe" OR Image matches "*\\VirtualBox.exe" OR
    Image matches "*\\VBoxSDL.exe" OR Image matches "*\\qemu-system-x86_64.exe" OR
    Image matches "*\\qemu-system-i386.exe" OR Image matches "*\\qemu-system-aarch64.exe" OR
    Image matches "*\\qemu-img.exe" OR Image matches "*\\vmrun.exe" OR
    Image matches "*\\WindowsSandbox.exe" OR CommandLine matches "*.wsb*"
  )
| eval headless_mode = if(CommandLine matches "*--headless*" OR CommandLine matches "*--type headless*" OR
                          CommandLine matches "*--startvm*" OR CommandLine matches "*-headless*" OR
                          CommandLine matches "*-nographic*", 1, 0)
| eval shared_folder = if(CommandLine matches "*sharedfolder add*" OR CommandLine matches "*MappedFolder*" OR
                          CommandLine matches "*sharedlocation*" OR CommandLine matches "*-virtfs*" OR
                          CommandLine matches "*--shared*", 1, 0)
| eval suspicious_parent = if(ParentImage matches "*\\powershell.exe" OR ParentImage matches "*\\pwsh.exe" OR
                               ParentImage matches "*\\cmd.exe" OR ParentImage matches "*\\wscript.exe" OR
                               ParentImage matches "*\\cscript.exe" OR ParentImage matches "*\\mshta.exe" OR
                               ParentImage matches "*\\rundll32.exe" OR ParentImage matches "*\\regsvr32.exe" OR
                               ParentImage matches "*\\winword.exe" OR ParentImage matches "*\\excel.exe" OR
                               ParentImage matches "*\\outlook.exe" OR ParentImage matches "*\\acrord32.exe", 1, 0)
| eval unexpected_path = if(
    !(Image matches "*\\Program Files\\Oracle\\*" OR Image matches "*\\Program Files (x86)\\Oracle\\*" OR
      Image matches "*\\Program Files\\VMware\\*" OR Image matches "*\\Program Files\\QEMU\\*" OR
      Image matches "*\\Windows\\System32\\*" OR Image matches "*\\Windows\\SysWOW64\\*"), 1, 0)
| eval wsb_invocation = if(CommandLine matches "*.wsb*", 1, 0)
| eval suspicion_score = headless_mode + shared_folder + suspicious_parent + unexpected_path + wsb_invocation
| where suspicion_score > 0
| fields _time, Computer, User, Image, CommandLine, ParentImage, ParentCommandLine, headless_mode, shared_folder, suspicious_parent, unexpected_path, wsb_invocation, suspicion_score
| sort by suspicion_score desc, _time desc
high severity high confidence

Sumo Logic CSE query detecting virtual machine execution (VirtualBox, QEMU, VMware, Windows Sandbox) using Sysmon Event ID 1 or Security Event ID 4688 process creation logs. Applies multi-factor risk scoring covering headless mode execution, shared folder configuration, suspicious parent processes, non-standard installation paths, and Windows Sandbox .wsb invocation.

Data Sources

Sumo Logic Sysmon Source (Windows Sysmon/Operational)Sumo Logic Windows Security Event Log

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=windows/security

False Positives & Tuning

  • IT operations teams executing VBoxManage.exe from cmd.exe or PowerShell as part of legitimate VM lifecycle management scripts
  • Penetration testing teams or red team operators running virtualization tools from non-standard directories as part of authorized engagements
  • Enterprise application packaging workflows that use Windows Sandbox .wsb files to test software installations in isolated environments
Download portable Sigma rule (.yml)

Other platforms for T1564.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Windows Sandbox .wsb Execution with MappedFolder and LogonCommand

    Expected signal: Sysmon Event ID 1: Process Create with Image=WindowsSandbox.exe, CommandLine containing 'argus_test_T1564006.wsb'. Sysmon Event ID 11: File Create for the .wsb file in %TEMP%. Security Event ID 4688 (if command-line auditing enabled) for the PowerShell process writing the .wsb file.

  2. Test 2VBoxManage Shared Folder Add Targeting Host Root Drive

    Expected signal: Sysmon Event ID 1: Process Create with Image=C:\Program Files\Oracle\VirtualBox\VBoxManage.exe, CommandLine containing 'sharedfolder add' and '--hostpath C:\' and '--automount'. The command returns an error (VM not found) but the process creation event is generated.

  3. Test 3QEMU Headless Execution from Non-Standard Path

    Expected signal: Sysmon Event ID 11: File Create for svchost32.exe in %TEMP% (copy of QEMU binary). Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost32.exe, CommandLine containing '-nographic -m 64 -snapshot'. The QEMU binary copy will also generate a DeviceFileEvents entry in MDE.

  4. Test 4QEMU Virtual Machine Execution on Linux

    Expected signal: Syslog/auditd: process creation for qemu-system-x86_64 with arguments '-m 64 -nographic -snapshot -hda /dev/null'. Linux auditd EXECVE syscall event showing full argument list. If using Defender for Endpoint Linux agent: DeviceProcessEvents entry with FileName=qemu-system-x86_64 and ProcessCommandLine containing '-nographic'.

Last updated: 2026-04-21 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1564.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1564Hide Artifacts

Related Sub-techniques

T1564.001Hidden Files and DirectoriesT1564.002Hidden UsersT1564.003Hidden WindowT1564.004NTFS File AttributesT1564.005Hidden File SystemT1564.007VBA StompingT1564.008Email Hiding RulesT1564.009Resource ForkingT1564.010Process Argument SpoofingT1564.011Ignore Process InterruptsT1564.012File/Path ExclusionsT1564.013Bind MountsT1564.014Extended Attributes

Related Techniques

T1564Hide ArtifactsT1037.004RC ScriptsT1486Data Encrypted for ImpactT1496Resource HijackingT1105Ingress Tool TransferT1027Obfuscated Files or InformationT1562.001Disable or Modify ToolsT1204.002Malicious FileT1543.003Windows Service

Same Tactic: Defense Evasion

Popular Detections