Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.09 | Virtualized end point protection | Mitigates | T1564.006 | Run Virtual Instance |
Comments
The diagnostic statement highlights several mitigating controls that organizations can implement to protect endpoint systems using virtualization technologies. Adversaries may carry out malicious operations using a virtual instance to avoid detection. After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system. To aid in mitigating this technique, consider using application control mechanisms to mitigate installation and use of unapproved virtualization software, shared folders not necessary within a given environment, and periodically audit virtual machines for abnormalities.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1564.006 | Run Virtual Instance | |
| CM-08 | System Component Inventory | mitigates | T1564.006 | Run Virtual Instance | |
| SI-10 | Information Input Validation | mitigates | T1564.006 | Run Virtual Instance | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1564.006 | Run Virtual Instance | |
| CM-02 | Baseline Configuration | mitigates | T1564.006 | Run Virtual Instance | |
| CM-07 | Least Functionality | mitigates | T1564.006 | Run Virtual Instance | |
| SI-04 | System Monitoring | mitigates | T1564.006 | Run Virtual Instance |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| ai_security_recommendations | Microsoft Defender for Cloud: AI Security Recommendations | technique_scores | T1564.006 | Run Virtual Instance |
Comments
This control's "Immutable (read-only) root filesystem should be enforced for containers" recommendation can lead to preventing these sub-techniques which result in changes to the file system directly or indirectly during their execution. Because this is a recommendation, and specific to Kubernetes containers, its score is assessed as Minimal.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1564.006 | Run Virtual Instance |
Comments
This control may alert on containers using privileged commands, running SSH servers, or running mining software.
References
|