Skip to main content
0 Results Found
              Back To Results
                Research & Intelligence

                Virtual Machines Used to Hide Activity?

                Adversaries could use virtual machines to remove evidence of activity By: Counter Threat Unit Research Team

                In July 2016, SecureWorks® Counter Threat Unit™ (CTU) researchers observed a threat actor creating and attempting to use a virtual machine (VM) in a compromised environment, likely to avoid detection.

                CTU™ researchers were engaged to use Red Cloak™ to monitor and report on process creation activity for a client that had experienced a targeted breach. The adversary had achieved a level of access that allowed them to interact with the Windows Explorer shell via the Terminal Services Client. Figure 1 shows the threat actor using the Microsoft Management Console (MMC) to launch the Hyper-V Manager, which is used to manage Microsoft's virtual machine (VM) infrastructure.

                Figure 1. Adversary's use of the MMC (mmc.exe). (Source: SecureWorks)

                Expanding the last process listed in Figure 1 reveals additional insight into the adversary's activity. As shown in Figure 2, the threat actor used vmconnect.exe to attempt to connect to their newly created VM, named "New Virtual Machine."

                Figure 2. Adversary's use of vmconnect.exe. (Source: SecureWorks)
                click to enlarge

                CTU researchers immediately reported this activity to the client and requested the system's Windows Event Log files for analysis. The client extracted the files with wevtutil.exe, a native command-line Windows utility used to manage Windows Event Logs. Table 1 lists the observed events from July 28, 2016.

                Time (UTC) Event Source/ID Description
                12:50:06 Microsoft-Windows-Sysmon/1 Process started (mmc.exe virtmgmt.msc)
                12:50:44 Microsoft-Windows-Hyper-V-VMMS/13002 New VM created
                Microsoft-Windows-Security-Auditing/4648 New logon attempt using explicit credentials
                Microsoft-Windows-Sysmon/6 Drivers loaded (vhdmp.sys, fsdepends.sys)
                12:50:45 Microsoft-Windows-Hyper-V-VMMS/27311 New VM created
                12:50:56 Microsoft-Windows-Sysmon/1 Process started (vmconnect.exe)
                12:51:01 Microsoft-Windows-Hyper-V-VMMS/20144 VM failed to start
                Microsoft-Windows-Hyper-V-VMMS/15130 VM failed to start
                12:51:08 Microsoft-Windows-Sysmon/5 Process terminated (vmconnect.exe)
                12:51:14 Microsoft-Windows-Hyper-V-VMMS/13003 VM deleted
                12:51:57 Microsoft-Windows-Sysmon/5

                Process terminated (mmc.exe)

                Table 1. Event Log activity for July 28, 2016.

                The events show the adversary using the MMC to create and attempt to launch a new VM. When the new VM did not start, the threat actor deleted it. The system that the adversary had compromised was itself a VM and therefore could not launch a new one.

                These actions illustrate the lengths a threat actor will go to mask their activities and avoid detection. The client's infrastructure was instrumented with both Red Cloak and Microsoft's Sysmon utility; however, the newly created VM had neither technology installed. If the adversary had successfully launched the VM, they could have used it to conduct their activity. Deleting the VM after they were done would have removed all indicators of their actions.

                Related Content

                Close Modal
                Close Modal