Skip to content

DET0321 Detection Strategy for Hidden Virtual Instance Execution

Item Value
ID DET0321
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1564.006 (Run Virtual Instance)

Analytics

Windows

AN0909

Unusual execution of virtualization binaries (VBoxManage.exe, vmware-vmx.exe, vmwp.exe) with headless or suppressed notification arguments. Registry and service modifications linked to virtualization installs. Defender view: anomalies in process creation, service metadata, and registry writes tied to enabling hidden VMs.

Log Sources
Data Component Name Channel
Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Service Creation (DC0060) WinEventLog:System EventCode=7045
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657
Mutable Elements
Field Description
VirtualizationBinaryWhitelist Exclude known administrative VM software usage in enterprise environments.
TimeWindow Correlate registry and service modifications with VM process starts within a narrow time frame.

Linux

AN0910

Execution of QEMU, KVM, or VirtualBox processes with unusual flags (e.g., ‘-nographic’, ‘-snapshot’). File creation of VM images in atypical directories. Defender view: monitoring audit logs for process executions and file modifications linked to hidden virtualization.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve calls for qemu-system*, kvm, or VBoxHeadless
File Creation (DC0039) auditd:SYSCALL File creations of .qcow2, .vdi, *.vmdk outside standard VM directories
Mutable Elements
Field Description
ImageDirectoryWhitelist Legitimate VM image storage paths to reduce false positives.
UserContext Correlate suspicious VM execution with non-admin or service accounts.

macOS

AN0911

Execution of virtualization binaries (Parallels, VMware Fusion, VirtualBox) with arguments to hide UI. File monitoring for plist modifications indicating hidden virtualization behavior. Defender perspective: tracking process lineage and file modifications in system configs.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog Process execution for VBoxHeadless, prl_vm_app, vmware-vmx
File Modification (DC0061) macos:unifiedlog Plist modifications containing virtualization run configurations
Mutable Elements
Field Description
PlistKeyScope Focus monitoring on UI suppression or VM auto-run keys.

ESXi

AN0912

Direct execution of /bin/vmx or presence of rogue .vmx files not registered in vCenter inventory. Defender perspective: anomalous commands in shell history, edits to rc.local.d/local.sh for persistence.

Log Sources
Data Component Name Channel
Command Execution (DC0064) esxi:hostd Execution of ‘/bin/vmx’ or modifications to ‘/etc/rc.local.d/local.sh’
Image Metadata (DC0028) esxi:vmkernel VMX startup messages without associated vCenter inventory records
Mutable Elements
Field Description
VMInventorySync Cross-verify running VMs with vCenter inventory for rogue instances.