T1564.006 - Run Virtual Instance
Description from ATT&CK (opens in a new tab)
Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)
In VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid
.vmxfile with the/bin/vmxutility. Adding this command to/etc/rc.local.d/local.sh(i.e., RC Scripts (opens in a new tab)) will cause the VM to persistently restart.(Citation: vNinja Rogue VMs 2024) Creating a VM this way prevents it from appearing in the vCenter console or in the output to thevim-cmd vmsvc/getallvmscommand on the ESXi server, thereby hiding it from typical administrative activities.(Citation: MITRE VMware Abuse 2024)
Atomic Tests
Atomic Test #1 - Register Portable Virtualbox
ransomware payloads via virtual machines (VM). Maze ransomware (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: c59f246a-34f8-4e4d-9276-c295ef9ba0dd
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| msi_file_path | Path to the MSI file | path | PathToAtomicsFolder\T1564.006\bin\Virtualbox_52.msi |
| cab_file_path | Path to the CAB file | path | PathToAtomicsFolder\T1564.006\bin\common.cab |
Attack Commands: Run with command_prompt!
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" /reregserver
regsvr32 /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
rundll32 "C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init"
sc create VBoxDRV binpath= "C:\Program Files\Oracle\VirtualBox\drivers\VboxDrv.sys" type= kernel start= auto error= normal displayname= PortableVBoxDRV
sc start VBoxDRVCleanup Commands:
sc stop VBoxDRV
sc delete VBoxDRV
regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
msiexec /x "#{msi_file_path}" /qnDependencies: Run with powershell!
Description: MSI file must exist on disk at specified location (#{msi_file_path})
Check Prereq Commands:
if (Test-Path "#{msi_file_path}") {exit 0} else {exit 1}Get Prereq Commands:
New-Item -Type Directory (split-path "#{msi_file_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"Description: CAB file must exist on disk at specified location (#{cab_file_path})
Check Prereq Commands:
if (Test-Path "#{cab_file_path}") {exit 0} else {exit 1}Get Prereq Commands:
New-Item -Type Directory (split-path "#{cab_file_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab" -OutFile "#{cab_file_path}"Description: Old version of Virtualbox must be installed
Check Prereq Commands:
if (Test-Path "C:\Program Files\Oracle\VirtualBox\VboxC.dll") {exit 0} else {exit 1}Get Prereq Commands:
msiexec /i "#{msi_file_path}" /qnAtomic Test #2 - Create and start VirtualBox virtual machine
Create a simple VirtualBox VM and start up the machine Cleanup command stops and deletes the newly created VM and associated files https://www.virtualbox.org/manual/ch08.html#vboxmanage-startvm (opens in a new tab) https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ (opens in a new tab) https://attack.mitre.org/techniques/T1564/006/ (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: 88b81702-a1c0-49a9-95b2-2dd53d755767
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| vm_name | Name of the new virtual machine | string | Atomic VM |
| virtualbox_exe | Path to the VirtualBox executable | path | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe |
| vboxmanage_exe | Path to the executable for VBoxManage, the command-line interface to VirtualBox | path | C:\Program Files\Oracle\VirtualBox\VBoxManage.exe |
| virtualbox_download | URL for the current installer for the Windows version of VirtualBox, as of March 2022 | url | https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe (opens in a new tab) |
| virtualbox_installer | Executable for the Virtualbox installer | string | VirtualBox-6.1.32-149290-Win.exe |
Attack Commands: Run with command_prompt!
"#{vboxmanage_exe}" createvm --name "#{vm_name}" --register
"#{vboxmanage_exe}" modifyvm "#{vm_name}" --firmware efi
"#{vboxmanage_exe}" startvm "#{vm_name}"Cleanup Commands:
"#{vboxmanage_exe}" controlvm "#{vm_name}" poweroff
"#{vboxmanage_exe}" unregistervm "#{vm_name}" --deleteDependencies: Run with powershell!
Description: VirtualBox must exist on disk at specified locations (#{virtualbox_exe})
Check Prereq Commands:
if (Test-Path "#{virtualbox_exe}") {exit 0} else {exit 1}Get Prereq Commands:
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
$wc = New-Object System.Net.WebClient
$wc.DownloadFile("#{virtualbox_download}","PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}")
start-process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}" -ArgumentList "--silent" -WaitDescription: VBoxManage must exist on disk at specified locations (#{vboxmanage_exe})
Check Prereq Commands:
if (Test-Path "#{vboxmanage_exe}") {exit 0} else {exit 1}Get Prereq Commands:
$wc = New-Object System.Net.WebClient
$wc.DownloadFile("#{virtualbox_download}","PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}")
start-process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}" -ArgumentList "--silent" -WaitAtomic Test #3 - Create and start Hyper-V virtual machine
Create a simple Hyper-V VM (Windows native hypervisor) and start up the machine Cleanup command stops and deletes the newly created VM https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v (opens in a new tab) https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/ (opens in a new tab) https://attack.mitre.org/techniques/T1564/006/ (opens in a new tab)
Supported Platforms: Windows
auto_generated_guid: fb8d4d7e-f5a4-481c-8867-febf13f8b6d3
Inputs:
| Name | Description | Type | Default Value |
|---|---|---|---|
| vm_name | Name of the new virtual machine | string | Atomic VM |
Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)
$VM = "#{vm_name}"
New-VM -Name $VM -Generation 2
Set-VMFirmware $VM -EnableSecureBoot Off
Start-VM $VMCleanup Commands:
Stop-VM $VM -Force
Remove-VM $VM -ForceDependencies: Run with powershell!
Description: Hyper-V must be enabled on the system
Checks whether Hyper-V is enabled. If not, enables Hyper-V and forces a required restart
Check Prereq Commands:
if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).State = "Enabled") {exit 0} else {exit 1}Get Prereq Commands:
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -Force