T1564.006 - Run Virtual Instance
Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)
Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)
Atomic Tests
Atomic Test #1 - Register Portable Virtualbox
ransomware payloads via virtual machines (VM).
Maze ransomware
Supported Platforms: Windows
auto_generated_guid: c59f246a-34f8-4e4d-9276-c295ef9ba0dd
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| msi_file_path | Path to the MSI file | path | PathToAtomicsFolder\T1564.006\bin\Virtualbox_52.msi|
| cab_file_path | Path to the CAB file | path | PathToAtomicsFolder\T1564.006\bin\common.cab|
Attack Commands: Run with
!
"C:\Program Files\Oracle\VirtualBox\VBoxSVC.exe" /reregserver
regsvr32 /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
rundll32 "C:\Program Files\Oracle\VirtualBox\VBoxRT.dll,RTR3Init"
sc create VBoxDRV binpath= "C:\Program Files\Oracle\VirtualBox\drivers\VboxDrv.sys" type= kernel start= auto error= normal displayname= PortableVBoxDRV
sc start VBoxDRV
Cleanup Commands:
sc stop VBoxDRV
sc delete VBoxDRV
regsvr32 /u /S "C:\Program Files\Oracle\VirtualBox\VboxC.dll"
msiexec /x "#{msi_file_path}" /qn
Dependencies: Run with
!
Description: MSI file must exist on disk at specified location (#{msi_file_path})
Check Prereq Commands:
1
| if (Test-Path "#{msi_file_path}") {exit 0} else {exit 1}
|
Get Prereq Commands:
1
2
| New-Item -Type Directory (split-path "#{msi_file_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/Virtualbox_52.msi" -OutFile "#{msi_file_path}"
|
Description: CAB file must exist on disk at specified location (#{cab_file_path})
Check Prereq Commands:
1
| if (Test-Path "#{cab_file_path}") {exit 0} else {exit 1}
|
Get Prereq Commands:
1
2
| New-Item -Type Directory (split-path "#{cab_file_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1564.006/bin/common.cab" -OutFile "#{cab_file_path}"
|
Description: Old version of Virtualbox must be installed
Check Prereq Commands:
1
| if (Test-Path "C:\Program Files\Oracle\VirtualBox\VboxC.dll") {exit 0} else {exit 1}
|
Get Prereq Commands:
1
| msiexec /i "#{msi_file_path}" /qn
|
Atomic Test #2 - Create and start VirtualBox virtual machine
Create a simple VirtualBox VM and start up the machine
Cleanup command stops and deletes the newly created VM and associated files
https://www.virtualbox.org/manual/ch08.html#vboxmanage-startvm
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
https://attack.mitre.org/techniques/T1564/006/
Supported Platforms: Windows
auto_generated_guid: 88b81702-a1c0-49a9-95b2-2dd53d755767
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| vm_name | Name of the new virtual machine | string | Atomic VM|
| virtualbox_exe | Path to the VirtualBox executable | path | C:\Program Files\Oracle\VirtualBox\VirtualBox.exe|
| vboxmanage_exe | Path to the executable for VBoxManage, the command-line interface to VirtualBox | path | C:\Program Files\Oracle\VirtualBox\VBoxManage.exe|
| virtualbox_download | URL for the current installer for the Windows version of VirtualBox, as of March 2022 | url | https://download.virtualbox.org/virtualbox/6.1.32/VirtualBox-6.1.32-149290-Win.exe|
| virtualbox_installer | Executable for the Virtualbox installer | string | VirtualBox-6.1.32-149290-Win.exe|
Attack Commands: Run with
!
"#{vboxmanage_exe}" createvm --name "#{vm_name}" --register
"#{vboxmanage_exe}" modifyvm "#{vm_name}" --firmware efi
"#{vboxmanage_exe}" startvm "#{vm_name}"
Cleanup Commands:
"#{vboxmanage_exe}" controlvm "#{vm_name}" poweroff
"#{vboxmanage_exe}" unregistervm "#{vm_name}" --delete
Dependencies: Run with
!
Description: VirtualBox must exist on disk at specified locations (#{virtualbox_exe})
Check Prereq Commands:
1
| if (Test-Path "#{virtualbox_exe}") {exit 0} else {exit 1}
|
Get Prereq Commands:
1
2
3
4
| New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
$wc = New-Object System.Net.WebClient
$wc.DownloadFile("#{virtualbox_download}","PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}")
start-process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}" -ArgumentList "--silent" -Wait
|
Description: VBoxManage must exist on disk at specified locations (#{vboxmanage_exe})
Check Prereq Commands:
1
| if (Test-Path "#{vboxmanage_exe}") {exit 0} else {exit 1}
|
Get Prereq Commands:
1
2
3
| $wc = New-Object System.Net.WebClient
$wc.DownloadFile("#{virtualbox_download}","PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}")
start-process -FilePath "PathToAtomicsFolder\..\ExternalPayloads\#{virtualbox_installer}" -ArgumentList "--silent" -Wait
|
Atomic Test #3 - Create and start Hyper-V virtual machine
Create a simple Hyper-V VM (Windows native hypervisor) and start up the machine
Cleanup command stops and deletes the newly created VM
https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v
https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/
https://attack.mitre.org/techniques/T1564/006/
Supported Platforms: Windows
auto_generated_guid: fb8d4d7e-f5a4-481c-8867-febf13f8b6d3
| Name | Description | Type | Default Value |
|——|————-|——|—————|
| vm_name | Name of the new virtual machine | string | Atomic VM|
Attack Commands: Run with
! Elevation Required (e.g. root or admin)
1
2
3
4
| $VM = "#{vm_name}"
New-VM -Name $VM -Generation 2
Set-VMFirmware $VM -EnableSecureBoot Off
Start-VM $VM
|
Cleanup Commands:
1
2
| Stop-VM $VM -Force
Remove-VM $VM -Force
|
Dependencies: Run with
!
Description: Hyper-V must be enabled on the system
Checks whether Hyper-V is enabled. If not, enables Hyper-V and forces a required restart
Check Prereq Commands:
1
| if ((Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V).State = "Enabled") {exit 0} else {exit 1}
|
Get Prereq Commands:
1
| Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -Force
|