Description
Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
Adversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).(Citation: Securonix CronTrap 2024) After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)
Threat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of .wsb configuration files for defining execution parameters. For example, the
In VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid .vmx file with the /bin/vmx utility. Adding this command to /etc/rc.local.d/local.sh (i.e., RC Scripts) will cause the VM to persistently restart.(Citation: vNinja Rogue VMs 2024) Creating a VM this way prevents it from appearing in the vCenter console or in the output to the vim-cmd vmsvc/getallvms command on the ESXi server, thereby hiding it from typical administrative activities.(Citation: MITRE VMware Abuse 2024)
Platforms
Mitigations (3)
Disable or Remove Feature or ProgramM1042
Disable native virtualization technologies such as Hyper-V if not necessary within a given environment. Consider also disabling Windows Sandbox if it is not needed to test or debug applications.
AuditM1047
Periodically audit virtual machines for abnormalities. On ESXi servers, periodically compare the output of vim-cmd vmsvc/getallvms, which lists all VMs in vCenter, and escxli vm process list | grep Display, which lists all VMs hosted on ESXi.(Citation: MITRE VMware Abuse 2024)
Execution PreventionM1038
Use application control to mitigate installation and use of unapproved virtualization software.
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S0449 | Maze | Malware | [Maze](https://attack.mitre.org/software/S0449) operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual mach... |
| S0481 | Ragnar Locker | Malware | [Ragnar Locker](https://attack.mitre.org/software/S0481) has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a sha... |
| S0451 | LoudMiner | Malware | [LoudMiner](https://attack.mitre.org/software/S0451) has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes... |
References
- Dominik Breitenbacher. (2025, March 18). Operation AkaiRyū: MirrorFace invites Europe to Expo 2025 and revives ANEL backdoor. Retrieved May 22, 2025.
- Christian Mohn. (2024, November 11). Beware Of The Rogue VMs!. Retrieved March 26, 2025.
- Committee of Inquiry into the Cyber Attack on SingHealth. (2019, January 10). Public Report of the Committee of Inquiry into the Cyber Attack on Singapore Health Services Private Limited's Patient Database. Retrieved June 29, 2020.
- CyberCX. (2023, September 15). Weaponising VMs to bypass EDR – Akira ransomware. Retrieved April 4, 2025.
- Den Iuzvyk and Tim Peck. (2024, November 4). CRON#TRAP: Emulated Linux Environments as the Latest Tactic in Malware Staging. Retrieved May 22, 2025.
- ITOCHU Cyber & Intelligence Inc.. (2025, March 12). Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts. Retrieved November 5, 2025.
- ITOCHU Cyber & Intelligence Inc.. (n.d.). Hack The Sandbox: Unveiling the Truth Behind Disappearing Artifacts. Retrieved November 5, 2025.
- Lex Crumpton. (2024, May 22). Infiltrating Defenses: Abusing VMware in MITRE’s Cyber Intrusion. Retrieved March 26, 2025.
- SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
Frequently Asked Questions
What is T1564.006 (Run Virtual Instance)?
T1564.006 is a MITRE ATT&CK technique named 'Run Virtual Instance'. It belongs to the Stealth tactic(s). Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing...
How can T1564.006 be detected?
Detection of T1564.006 (Run Virtual Instance) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1564.006?
There are 3 documented mitigations for T1564.006. Key mitigations include: Disable or Remove Feature or Program, Audit, Execution Prevention.
Which threat groups use T1564.006?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.