- Tactics
- stealth
- Platforms
- ESXi, Linux, macOS, Windows
- Reference
- attack.mitre.org/techniques/T1564.006
Description
Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
Adversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).(Citation: Securonix CronTrap 2024) After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)
Threat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of .wsb configuration files for defining execution parameters. For example, the <MappedFolder> property supports the creation of a shared folder, while the <LogonCommand> property allows the specification of a payload.(Citation: ESET MirrorFace 2025)(Citation: ITOCHU Hack the Sandbox)(Citation: ITOCHU Sandbox PPT)
In VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid .vmx file with the /bin/vmx utility. Adding this command to /etc/rc.local.d/local.sh (i.e., RC Scripts) will cause the VM to persistently restart.(Citation: vNinja Rogue VMs 2024) Creating a VM this way prevents it from appearing in the vCenter console or in the output to the vim-cmd vmsvc/getallvms command on the ESXi server, thereby hiding it from typical administrative activities.(Citation: MITRE VMware Abuse 2024)
How GTK Cyber trains on this
GTK Cyber's Threat Hunting with Data Science course teaches you to build machine-learning detections for techniques like this across the MITRE ATT&CK framework, including the stealth tactic this technique falls under. Practitioner-led, focused on real detections, not memorizing technique IDs.
Related techniques
- T1006 — Direct Volume Access
- T1014 — Rootkit
- T1027 — Obfuscated Files or Information
- T1036 — Masquerading
- T1055 — Process Injection
- T1070 — Indicator Removal
- T1078 — Valid Accounts
- T1127 — Trusted Developer Utilities Proxy Execution
- T1134 — Access Token Manipulation
- T1140 — Deobfuscate/Decode Files or Information
- T1197 — BITS Jobs
- T1202 — Indirect Command Execution