title: Run Virtual Instance (T1564.006)
id: df00tech-t1564-006
status: experimental
description: "Adversaries may carry out malicious operations using a virtual instance to avoid detection. By running malicious code inside a VM, adversaries hide artifacts from security tools that cannot monitor guest activity. Ransomware groups (Maze, Ragnar Locker) used VirtualBox with shared folders mapped to host drives to encrypt files while evading endpoint protection. LoudMiner ran XMRig inside QEMU/VirtualBox Linux VMs for cryptomining. On ESXi, adversaries create rogue VMs via /bin/vmx directly, bypassing vCenter visibility checks. Windows Sandbox .wsb configuration files support LogonCommand payloads and MappedFolder host filesystem access, abused by MirrorFace APT. The CronTrap campaign used QEMU to stage malware inside emulated Linux environments on Windows hosts."
references:
  - https://attack.mitre.org/techniques/T1564/006/
  - https://df00tech.com/detections/T1564.006
author: df00tech
date: 2026/04/21
tags:
  - attack.t1564.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Developers and QA engineers running VirtualBox or VMware Workstation headlessly as part of automated build/test pipelines (e.g., Vagrant, Packer)"
  - IT administrators using VBoxManage to manage shared folders for legitimate remote work or file transfer workflows
  - Security researchers or blue teams running malware analysis VMs headlessly in an isolated lab environment
  - "Enterprise sandbox solutions (Bromium, Sandboxie) that legitimately invoke virtualization components from management processes"
  - Windows Sandbox used for legitimate application compatibility testing or software evaluation by power users
level: high