MITRE ATT&CK Technique
Persistence
T1062
Description
**This technique has been deprecated and should no longer be used.** A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with [Rootkit](https://attack.mitre.org/techniques/T1014) functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption.
Supported Platforms
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:50.958Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': '**This technique has been deprecated and should no longer be '
'used.**\n'
'\n'
'A type-1 hypervisor is a software layer that sits between the '
"guest operating systems and system's hardware. (Citation: "
'Wikipedia Hypervisor) It presents a virtual running '
'environment to an operating system. An example of a common '
'hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 '
'hypervisor operates at a level below the operating system and '
'could be designed with '
'[Rootkit](https://attack.mitre.org/techniques/T1014) '
'functionality to hide its existence from the guest operating '
'system. (Citation: Myers 2007) A malicious hypervisor of this '
'nature could be used to persist on systems through '
'interruption.',
'external_references': [{'external_id': 'T1062',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1062'},
{'external_id': 'CAPEC-552',
'source_name': 'capec',
'url': 'https://capec.mitre.org/data/definitions/552.html'},
{'description': 'Wikipedia. (2016, May 23). '
'Hypervisor. Retrieved June 11, 2016.',
'source_name': 'Wikipedia Hypervisor',
'url': 'https://en.wikipedia.org/wiki/Hypervisor'},
{'description': 'Xen. (n.d.). In Wikipedia. Retrieved '
'November 13, 2014.',
'source_name': 'Wikipedia Xen',
'url': 'http://en.wikipedia.org/wiki/Xen'},
{'description': 'Myers, M., and Youndt, S. (2007). An '
'Introduction to Hardware-Assisted '
'Virtual Machine (HVM) Rootkits. '
'Retrieved November 13, 2014.',
'source_name': 'Myers 2007',
'url': 'http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.90.8832&rep=rep1&type=pdf'},
{'description': 'virtualization.info. (Interviewer) & '
'Liguori, A. (Interviewee). (2006, '
'August 11). Debunking Blue Pill myth '
'[Interview transcript]. '
'Retrieved November 13, 2014.',
'source_name': 'virtualization.info 2006',
'url': 'http://virtualization.info/en/news/2006/08/debunking-blue-pill-myth.html'}],
'id': 'attack-pattern--4be89c7c-ace6-4876-9377-c8d54cef3d63',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'persistence'}],
'modified': '2025-10-24T17:48:44.777Z',
'name': 'Hypervisor',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': True,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '2.1'}