Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| intel-tdt | Intel Threat Detection Technology | Microsoft Defender | T1564.006 | Run Virtual Instance |
Comments
Intel Threat Detection Technology's (Intel TDT) targeted malware detection solution applies machine learning to hardware telemetry derived from the CPU to detect sustained malicious code execution patterns, like ransomware and cryptomining, at runtime. Operating on CPU level data enables TDT to detect malware execution irrespective of deployment scheme, programming language or obfuscation schemes.
This enables Microsoft Defender Antivirus to use Intel TDT to help rapidly detect and respond to these threats.
References
|