Skip to content
Atomic Red Team
atomics
T1564.006

T1564.006 - Run Virtual Instance

Description from ATT&CK (opens in a new tab)

Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)

Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)

In VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid .vmx file with the /bin/vmx utility. Adding this command to /etc/rc.local.d/local.sh (i.e., RC Scripts (opens in a new tab)) will cause the VM to persistently restart.(Citation: vNinja Rogue VMs 2024) Creating a VM this way prevents it from appearing in the vCenter console or in the output to the vim-cmd vmsvc/getallvms command on the ESXi server, thereby hiding it from typical administrative activities.(Citation: MITRE VMware Abuse 2024)

Atomic Tests


Atomic Test #1 - Register Portable Virtualbox

ransomware payloads via virtual machines (VM). Maze ransomware (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: c59f246a-34f8-4e4d-9276-c295ef9ba0dd

Inputs:

NameDescriptionTypeDefault Value
msi_file_pathPath to the MSI filepathPathToAtomicsFolder\T1564.006\bin\Virtualbox_52.msi
cab_file_pathPath to the CAB filepathPathToAtomicsFolder\T1564.006\bin\common.cab

Attack Commands: Run with command_prompt!

"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" /reregserver
regsvr32 /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
rundll32 "C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init"
sc create VBoxDRV binpath= "C:\Program Files\Oracle\VirtualBox\drivers\VboxDrv.sys" type= kernel start= auto error= normal displayname= PortableVBoxDRV
sc start VBoxDRV

Cleanup Commands:

sc stop VBoxDRV
sc delete VBoxDRV
regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
msiexec /x "#{msi_file_path}" /qn

Dependencies: Run with powershell!

Description: MSI file must exist on disk at specified location (#{msi_file_path})
Check Prereq Commands:
if (Test-Path "#{msi_file_path}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{msi_file_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"
Description: CAB file must exist on disk at specified location (#{cab_file_path})
Check Prereq Commands:
if (Test-Path "#{cab_file_path}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{cab_file_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab" -OutFile "#{cab_file_path}"
Description: Old version of Virtualbox must be installed
Check Prereq Commands:
if (Test-Path "C:\Program Files\Oracle\VirtualBox\VboxC.dll") {exit 0} else {exit 1}
Get Prereq Commands:
msiexec /i "#{msi_file_path}" /qn


Atomic Test #2 - Create and start VirtualBox virtual machine

Create a simple VirtualBox VM and start up the machine Cleanup command stops and deletes the newly created VM and associated files https://www.virtualbox.org/manual/ch08.html#vboxmanage-startvm (opens in a new tab) https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ (opens in a new tab) https://attack.mitre.org/techniques/T1564/006/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 88b81702-a1c0-49a9-95b2-2dd53d755767

Inputs:

NameDescriptionTypeDefault Value
vm_nameName of the new virtual machinestringAtomic VM
virtualbox_exePath to the VirtualBox executablepathC:\Program Files\Oracle\VirtualBox\VirtualBox.exe
vboxmanage_exePath to the executable for VBoxManage, the command-line interface to VirtualBoxpathC:\Program Files\Oracle\VirtualBox\VBoxManage.exe
virtualbox_downloadURL for the current installer for the Windows version of VirtualBox, as of March 2022urlhttps://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe (opens in a new tab)
virtualbox_installerExecutable for the Virtualbox installerstringVirtualBox-6.1.32-149290-Win.exe

Attack Commands: Run with command_prompt!

"#{vboxmanage_exe}" createvm --name "#{vm_name}" --register
"#{vboxmanage_exe}" modifyvm "#{vm_name}" --firmware efi
"#{vboxmanage_exe}" startvm "#{vm_name}"

Cleanup Commands:

"#{vboxmanage_exe}" controlvm "#{vm_name}" poweroff
"#{vboxmanage_exe}" unregistervm "#{vm_name}" --delete

Dependencies: Run with powershell!

Description: VirtualBox must exist on disk at specified locations (#{virtualbox_exe})
Check Prereq Commands:
if (Test-Path "#{virtualbox_exe}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
$wc = New-Object System.Net.WebClient
$wc.DownloadFile("#{virtualbox_download}","PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}")
start-process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}" -ArgumentList "--silent" -Wait
Description: VBoxManage must exist on disk at specified locations (#{vboxmanage_exe})
Check Prereq Commands:
if (Test-Path "#{vboxmanage_exe}") {exit 0} else {exit 1}
Get Prereq Commands:
$wc = New-Object System.Net.WebClient
$wc.DownloadFile("#{virtualbox_download}","PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}")
start-process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}" -ArgumentList "--silent" -Wait


Atomic Test #3 - Create and start Hyper-V virtual machine

Create a simple Hyper-V VM (Windows native hypervisor) and start up the machine Cleanup command stops and deletes the newly created VM https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v (opens in a new tab) https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/ (opens in a new tab) https://attack.mitre.org/techniques/T1564/006/ (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: fb8d4d7e-f5a4-481c-8867-febf13f8b6d3

Inputs:

NameDescriptionTypeDefault Value
vm_nameName of the new virtual machinestringAtomic VM

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$VM = "#{vm_name}"
New-VM -Name $VM -Generation 2
Set-VMFirmware $VM -EnableSecureBoot Off
Start-VM $VM

Cleanup Commands:

Stop-VM $VM -Force
Remove-VM $VM -Force

Dependencies: Run with powershell!

Description: Hyper-V must be enabled on the system

Checks whether Hyper-V is enabled. If not, enables Hyper-V and forces a required restart

Check Prereq Commands:
if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).State = "Enabled") {exit 0} else {exit 1}
Get Prereq Commands:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -Force