1. Home
  2. Techniques
  3. Enterprise
  4. Hide Artifacts
  5. Run Virtual Instance

Hide Artifacts: Run Virtual Instance

ID Name
T1564.001 Hidden Files and Directories
T1564.002 Hidden Users
T1564.003 Hidden Window
T1564.004 NTFS File Attributes
T1564.005 Hidden File System
T1564.006 Run Virtual Instance
T1564.007 VBA Stomping
T1564.008 Email Hiding Rules
T1564.009 Resource Forking
T1564.010 Process Argument Spoofing
T1564.011 Ignore Process Interrupts
T1564.012 File/Path Exclusions
T1564.013 Bind Mounts
T1564.014 Extended Attributes

Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.[1] Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.[2]

Adversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).[3] After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.[4]

Threat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of .wsb configuration files for defining execution parameters. For example, the <MappedFolder> property supports the creation of a shared folder, while the <LogonCommand> property allows the specification of a payload.[5]

In VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid .vmx file with the /bin/vmx utility. Adding this command to /etc/rc.local.d/local.sh (i.e., RC Scripts) will cause the VM to persistently restart.[6] Creating a VM this way prevents it from appearing in the vCenter console or in the output to the vim-cmd vmsvc/getallvms command on the ESXi server, thereby hiding it from typical administrative activities.[7]

ID: T1564.006
Sub-technique of:  T1564
Tactic: Defense Evasion
Platforms: ESXi, Linux, Windows, macOS
Contributors: Enis Aksu; Janantha Marasinghe; Jiraput Thamsongkrah; Johann Rehberger; Menachem Shafran, XM Cyber; Natthawut Saexu; Purinut Wongwaiwuttiguldej; Satoshi Kamekawa, ITOCHU Cyber & Intelligence Inc.; Shuhei Sasada, ITOCHU Cyber & Intelligence Inc.; Yusuke Niwa, ITOCHU Cyber & Intelligence Inc.
Version: 1.3
Created: 29 June 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S0451 LoudMiner

LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates.[8]
S0449 Maze

Maze operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine's configuration file mapped the shared network drives of the target company, presumably so Maze can encrypt files on the shared drives as well as the local machine.[9]

S0481 Ragnar Locker

Ragnar Locker has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables Ragnar Locker to encrypt files on the host operating system, including files on any mapped drives.[4]

Mitigations

ID Mitigation Description
M1047 Audit

Periodically audit virtual machines for abnormalities. On ESXi servers, periodically compare the output of vim-cmd vmsvc/getallvms, which lists all VMs in vCenter, and escxli vm process list | grep Display, which lists all VMs hosted on ESXi.[7]
M1042 Disable or Remove Feature or Program

Disable native virtualization technologies such as Hyper-V if not necessary within a given environment. Consider also disabling Windows Sandbox if it is not needed to test or debug applications.
M1038 Execution Prevention

Use application control to mitigate installation and use of unapproved virtualization software.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0321 Detection Strategy for Hidden Virtual Instance Execution AN0909

Unusual execution of virtualization binaries (VBoxManage.exe, vmware-vmx.exe, vmwp.exe) with headless or suppressed notification arguments. Registry and service modifications linked to virtualization installs. Defender view: anomalies in process creation, service metadata, and registry writes tied to enabling hidden VMs.
AN0910

Execution of QEMU, KVM, or VirtualBox processes with unusual flags (e.g., '-nographic', '-snapshot'). File creation of VM images in atypical directories. Defender view: monitoring audit logs for process executions and file modifications linked to hidden virtualization.
AN0911

Execution of virtualization binaries (Parallels, VMware Fusion, VirtualBox) with arguments to hide UI. File monitoring for plist modifications indicating hidden virtualization behavior. Defender perspective: tracking process lineage and file modifications in system configs.
AN0912

Direct execution of /bin/vmx or presence of rogue .vmx files not registered in vCenter inventory. Defender perspective: anomalous commands in shell history, edits to rc.local.d/local.sh for persistence.

References

  1. CyberCX. (2023, September 15). Weaponising VMs to bypass EDR – Akira ransomware. Retrieved April 4, 2025.
  2. Committee of Inquiry into the Cyber Attack on SingHealth. (2019, January 10). Public Report of the Committee of Inquiry into the Cyber Attack on Singapore Health Services Private Limited's Patient Database. Retrieved June 29, 2020.
  3. Den Iuzvyk and Tim Peck. (2024, November 4). CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging. Retrieved May 22, 2025.
  4. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  5. Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.
  1. Christian Mohn. (2024, November 11). Beware Of The Rogue VMs!. Retrieved March 26, 2025.
  2. Lex Crumpton. (2024, May 22). Infiltrating Defenses: Abusing VMware in MITRE’s Cyber Intrusion. Retrieved March 26, 2025.
  3. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  4. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.