I am working on a TRR linked to a single procedure of T1564.006 (Hide Artifacts: Run Virtual Instance), specifically focusing on Hyper-V.
There are at least three other major known approaches to this technique:
- Abuse of Windows Sandbox (MirrorFace APT) - this one can likely be incorporated into the Hyper-V case, since Windows Sandbox uses Hyper-V to launch
- Installing a full third-party virtualization application (like VirtualBox or VMware) to run malware inside VMs
- This involves an RMM-like monitoring approach, but it's different enough from my existing research that I'm not going to add it now
- Using a third-party virtualization player (like VMware Player) to run malware inside VMs
- Again, we need an RMM-like approach to defend against this, so it's out of scope for now.
I am working on a TRR linked to a single procedure of T1564.006 (Hide Artifacts: Run Virtual Instance), specifically focusing on Hyper-V.
There are at least three other major known approaches to this technique: