MITRE ATT&CK Technique
Description
Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance.(Citation: CyberCX Akira Ransomware) Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019) Adversaries may utilize native support for virtualization (ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or drop the necessary files to run a virtual instance (ex: VirtualBox binaries).(Citation: Securonix CronTrap 2024) After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020) Threat actors may also leverage temporary virtualized environments such as the Windows Sandbox, which supports the use of `.wsb` configuration files for defining execution parameters. For example, the `<MappedFolder>` property supports the creation of a shared folder, while the `<LogonCommand>` property allows the specification of a payload.(Citation: ESET MirrorFace 2025)(Citation: ITOCHU Hack the Sandbox)(Citation: ITOCHU Sandbox PPT) In VMWare environments, adversaries may leverage the vCenter console to create new virtual machines. However, they may also create virtual machines directly on ESXi servers by running a valid `.vmx` file with the `/bin/vmx` utility. Adding this command to `/etc/rc.local.d/local.sh` (i.e., [RC Scripts](https://attack.mitre.org/techniques/T1037/004)) will cause the VM to persistently restart.(Citation: vNinja Rogue VMs 2024) Creating a VM this way prevents it from appearing in the vCenter console or in the output to the `vim-cmd vmsvc/getallvms` command on the ESXi server, thereby hiding it from typical administrative activities.(Citation: MITRE VMware Abuse 2024)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-06-29T15:36:41.535Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may carry out malicious operations using a '
'virtual instance to avoid detection. A wide variety of '
'virtualization technologies exist that allow for the '
'emulation of a computer or computing environment. By running '
'malicious code inside of a virtual instance, adversaries can '
'hide artifacts associated with their behavior from security '
'tools that are unable to monitor activity inside the virtual '
'instance.(Citation: CyberCX Akira Ransomware) Additionally, '
'depending on the virtual networking implementation (ex: '
'bridged adapter), network traffic generated by the virtual '
'instance can be difficult to trace back to the compromised '
'host as the IP address and hostname might not match known '
'values.(Citation: SingHealth Breach Jan 2019)\n'
'\n'
'Adversaries may utilize native support for virtualization '
'(ex: Hyper-V), deploy lightweight emulators (ex: QEMU), or '
'drop the necessary files to run a virtual instance (ex: '
'VirtualBox binaries).(Citation: Securonix CronTrap 2024) '
'After running a virtual instance, adversaries may create a '
'shared folder between the guest and host with permissions '
'that enable the virtual instance to interact with the host '
'file system.(Citation: Sophos Ragnar May 2020)\n'
'\n'
'Threat actors may also leverage temporary virtualized '
'environments such as the Windows Sandbox, which supports the '
'use of `.wsb` configuration files for defining execution '
'parameters. For example, the `<MappedFolder>` property '
'supports the creation of a shared folder, while the '
'`<LogonCommand>` property allows the specification of a '
'payload.(Citation: ESET MirrorFace 2025)(Citation: ITOCHU '
'Hack the Sandbox)(Citation: ITOCHU Sandbox PPT)\n'
'\n'
'In VMWare environments, adversaries may leverage the vCenter '
'console to create new virtual machines. However, they may '
'also create virtual machines directly on ESXi servers by '
'running a valid `.vmx` file with the `/bin/vmx` utility. '
'Adding this command to `/etc/rc.local.d/local.sh` (i.e., [RC '
'Scripts](https://attack.mitre.org/techniques/T1037/004)) will '
'cause the VM to persistently restart.(Citation: vNinja Rogue '
'VMs 2024) Creating a VM this way prevents it from appearing '
'in the vCenter console or in the output to the `vim-cmd '
'vmsvc/getallvms` command on the ESXi server, thereby hiding '
'it from typical administrative activities.(Citation: MITRE '
'VMware Abuse 2024)',
'external_references': [{'external_id': 'T1564.006',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1564/006'},
{'description': ' Dominik Breitenbacher. (2025, March '
'18). Operation AkaiRyū: MirrorFace '
'invites Europe to Expo 2025 and '
'revives ANEL backdoor. Retrieved May '
'22, 2025.',
'source_name': 'ESET MirrorFace 2025',
'url': 'https://www.welivesecurity.com/en/eset-research/operation-akairyu-mirrorface-invites-europe-expo-2025-revives-anel-backdoor/'},
{'description': 'Christian Mohn. (2024, November 11). '
'Beware Of The Rogue VMs!. Retrieved '
'March 26, 2025.',
'source_name': 'vNinja Rogue VMs 2024',
'url': 'https://vninja.net/2024/11/11/beware-of-the-rogue-vms/'},
{'description': 'Committee of Inquiry into the Cyber '
'Attack on SingHealth. (2019, January '
'10). Public Report of the Committee '
'of Inquiry into the Cyber Attack on '
'Singapore Health Services Private '
"Limited's Patient Database. "
'Retrieved June 29, 2020.',
'source_name': 'SingHealth Breach Jan 2019',
'url': 'https://www.mci.gov.sg/-/media/mcicorp/doc/report-of-the-coi-into-the-cyber-attack-on-singhealth-10-jan-2019.ashx'},
{'description': 'CyberCX. (2023, September 15). '
'Weaponising VMs to bypass EDR – '
'Akira ransomware. Retrieved April 4, '
'2025.',
'source_name': 'CyberCX Akira Ransomware',
'url': 'https://cybercx.com.au/blog/akira-ransomware/'},
{'description': 'Den Iuzvyk and Tim Peck. (2024, '
'November 4). CRON#TRAP: Emulated '
'Linux Environments as the Latest '
'Tactic in Malware Staging. Retrieved '
'May 22, 2025.',
'source_name': 'Securonix CronTrap 2024',
'url': 'https://www.securonix.com/blog/crontrap-emulated-linux-environments-as-the-latest-tactic-in-malware-staging/'},
{'description': 'ITOCHU Cyber & Intelligence Inc.. '
'(2025, March 12). Hack The Sandbox: '
'Unveiling the Truth Behind '
'Disappearing Artifacts. Retrieved '
'November 5, 2025.',
'source_name': 'ITOCHU Hack the Sandbox',
'url': 'https://blog-en.itochuci.co.jp/entry/2025/03/12/140000'},
{'description': 'ITOCHU Cyber & Intelligence Inc.. '
'(n.d.). Hack The Sandbox: Unveiling '
'the Truth Behind Disappearing '
'Artifacts. Retrieved November 5, '
'2025.',
'source_name': 'ITOCHU Sandbox PPT',
'url': 'https://jsac.jpcert.or.jp/archive/2025/pdf/JSAC2025_2_9_kamekawa_sasada_niwa_en.pdf'},
{'description': 'Lex Crumpton. (2024, May 22). '
'Infiltrating Defenses: Abusing '
'VMware in MITRE’s Cyber Intrusion. '
'Retrieved March 26, 2025.',
'source_name': 'MITRE VMware Abuse 2024',
'url': 'https://medium.com/mitre-engenuity/infiltrating-defenses-abusing-vmware-in-mitres-cyber-intrusion-4ea647b83f5b'},
{'description': 'SophosLabs. (2020, May 21). Ragnar '
'Locker ransomware deploys virtual '
'machine to dodge security. Retrieved '
'June 29, 2020.',
'source_name': 'Sophos Ragnar May 2020',
'url': 'https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/'}],
'id': 'attack-pattern--b5327dd1-6bf9-4785-a199-25bcbd1f4a9d',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-11-05T15:22:05.269Z',
'name': 'Run Virtual Instance',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Johann Rehberger',
'Janantha Marasinghe',
'Menachem Shafran, XM Cyber',
'Enis Aksu',
'Satoshi Kamekawa, ITOCHU Cyber & Intelligence Inc.',
'Yusuke Niwa, ITOCHU Cyber & Intelligence Inc.',
'Shuhei Sasada, ITOCHU Cyber & Intelligence Inc.',
'Jiraput Thamsongkrah',
'Purinut Wongwaiwuttiguldej',
'Natthawut Saexu'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows', 'ESXi'],
'x_mitre_version': '1.3'}