309. Adversaries Use Hidden Hyper-V Virtual Machines

Hello everyone!

Using virtual machines for defense evasion becomes more and more popular. Today we'll look at another example of Hide Artifacts: Run Virtual Instance (T1564.006).

According to the report, the adversary enabled the Hyper-V feature on a compromised Windows machine, then downloaded and imported a lightweight Alpine Linux-based VM containing their malware.

Once downloaded, the virtual machine was imported using PowerShell:

"cmd.exe" /C powershell.exe -c import-vm -path "c:\\programdata\\microsoft\\AppV\\app\\Virtual Machines\\1DBCC80B-5803-4AF1-8772-712C688F408A.vmcx" -Copy -GenerateNewId > c:\\Programdata\\WindowsUpdateTask_t.tmp 2>&1

PowerShell was also used to start the newly imported virtual machine:

"cmd.exe" /C powershell.exe -c Start-VM -name WSL > c:\\Programdata\\WindowsUpdateTask_R.tmp 2>&1

For example, we can hunt for cmdlets related to virtual machine manipulation:

event_type: "processcreatewin"

AND

proc_file_path: "powershell.exe"

AND

cmdline: ("import-vm" OR "start-vm")

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access