Esc
Run Virtual Instance - T1564.006
(ATT&CK® Technique)
Definition
Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1564006["Run Virtual Instance"] --> |may-create| Directory["Directory"]; class T1564006 OffensiveTechniqueNode;
class Directory ArtifactNode; click Directory href "/dao/artifact/d3f:Directory";
click T1564006 href "/offensive-technique/attack/T1564.006/"; click Directory href "/dao/artifact/d3f:Directory"; T1564006["Run Virtual Instance"] --> |creates| File["File"]; class T1564006 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1564006 href "/offensive-technique/attack/T1564.006/"; click File href "/dao/artifact/d3f:File"; T1564006["Run Virtual Instance"] --> |executes| VirtualizationSoftware["Virtualization Software"]; class T1564006 OffensiveTechniqueNode;
class VirtualizationSoftware ArtifactNode; click VirtualizationSoftware href "/dao/artifact/d3f:VirtualizationSoftware";
click T1564006 href "/offensive-technique/attack/T1564.006/"; click VirtualizationSoftware href "/dao/artifact/d3f:VirtualizationSoftware"; T1564006["Run Virtual Instance"] --> |may-add| VirtualizationSoftware["Virtualization Software"]; class T1564006 OffensiveTechniqueNode;
class VirtualizationSoftware ArtifactNode; click VirtualizationSoftware href "/dao/artifact/d3f:VirtualizationSoftware";
click T1564006 href "/offensive-technique/attack/T1564.006/"; click VirtualizationSoftware href "/dao/artifact/d3f:VirtualizationSoftware"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | File["File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1564006["Run Virtual Instance"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class File ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | File["File"];
FileEviction["File Eviction"] -.->
| may-evict | T1564006["Run Virtual Instance"] ;
class FileEviction DefensiveTechniqueNode;
class File ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | File["File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1564006["Run Virtual Instance"] ;
class FileEncryption DefensiveTechniqueNode;
class File ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; SoftwareUpdate["Software Update"] -->
| updates | VirtualizationSoftware["Virtualization Software"];
SoftwareUpdate["Software Update"] -.->
| may-harden | T1564006["Run Virtual Instance"] ;
class SoftwareUpdate DefensiveTechniqueNode;
class VirtualizationSoftware ArtifactNode;
click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; DecoyFile["Decoy File"] -->
| spoofs | File["File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1564006["Run Virtual Instance"] ;
class DecoyFile DefensiveTechniqueNode;
class File ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; LocalFilePermissions["Local File Permissions"] -->
| restricts | File["File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1564006["Run Virtual Instance"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class File ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | Directory["Directory"];
class LocalFilePermissions DefensiveTechniqueNode;
class Directory ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; RestoreSoftware["Restore Software"] -->
| restores | VirtualizationSoftware["Virtualization Software"];
RestoreSoftware["Restore Software"] -.->
| may-restore | T1564006["Run Virtual Instance"] ;
class RestoreSoftware DefensiveTechniqueNode;
class VirtualizationSoftware ArtifactNode;
click RestoreSoftware href "/technique/d3f:RestoreSoftware"; RestoreFile["Restore File"] -->
| restores | File["File"];
RestoreFile["Restore File"] -.->
| may-restore | T1564006["Run Virtual Instance"] ;
class RestoreFile DefensiveTechniqueNode;
class File ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; ServiceBinaryVerification["Service Binary Verification"] -->
| verifies | VirtualizationSoftware["Virtualization Software"];
ServiceBinaryVerification["Service Binary Verification"] -.->
| may-detect | T1564006["Run Virtual Instance"] ;
class ServiceBinaryVerification DefensiveTechniqueNode;
class VirtualizationSoftware ArtifactNode;
click ServiceBinaryVerification href "/technique/d3f:ServiceBinaryVerification"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | File["File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1564006["Run Virtual Instance"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class File ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; FileAnalysis["File Analysis"] -->
| analyzes | File["File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1564006["Run Virtual Instance"] ;
class FileAnalysis DefensiveTechniqueNode;
class File ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis";