title: Hypervisor (T1062)
id: df00tech-t1062
status: experimental
description: "Adversaries may install a type-1 hypervisor below the operating system to achieve persistent, stealthy access that survives reboots and is hidden from the guest OS. A malicious hypervisor intercepts hardware-level operations and can conceal its presence from all software running above it, including security tools and the OS kernel. This technique has been deprecated by MITRE ATT&CK but remains relevant for detection engineering due to its theoretical use by sophisticated threat actors and nation-state groups targeting high-value environments. Practical implementations include Blue Pill-style subvirt attacks, malicious Xen-based hypervisors, or abuse of legitimate hypervisor platforms (Hyper-V, VMware) as persistence anchors. Detection relies on pre-installation indicators (hypervisor binary drops, boot configuration changes, driver installs) since post-installation detection from inside the guest OS is unreliable."
references:
  - https://attack.mitre.org/techniques/T1062/
  - https://df00tech.com/detections/T1062
author: df00tech
date: 2026/04/16
tags:
  - attack.t1062
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate Hyper-V or Windows Hypervisor Platform enablement via Windows Features — generates bcdedit hypervisorlaunchtype changes during install
  - VMware Workstation or VirtualBox installation on developer machines that install kernel-mode drivers to system directories
  - Windows Subsystem for Android or WSL2 enabling Hyper-V hypervisor support via bcdedit commands during feature activation
  - "Enterprise virtualization products (Citrix, Parallels, Nutanix AHV agents) installing Xen-compatible PV drivers to System32\\drivers"
  - Windows Update or Windows Recovery Environment modifying EFI and BCD files during cumulative update installation
level: critical