Research & Intelligence

Virtual Machines Used to Hide Activity?

Adversaries could use virtual machines to remove evidence of activity

Virtual Machines Used to Hide Activity?

In July 2016, SecureWorks® Counter Threat Unit™ (CTU) researchers observed a threat actor creating and attempting to use a virtual machine (VM) in a compromised environment, likely to avoid detection.

CTU™ researchers were engaged to use Red Cloak™ to monitor and report on process creation activity for a client that had experienced a targeted breach. The adversary had achieved a level of access that allowed them to interact with the Windows Explorer shell via the Terminal Services Client. Figure 1 shows the threat actor using the Microsoft Management Console (MMC) to launch the Hyper-V Manager, which is used to manage Microsoft's virtual machine (VM) infrastructure.


Figure 1. Adversary's use of the MMC (mmc.exe). (Source: SecureWorks)

Expanding the last process listed in Figure 1 reveals additional insight into the adversary's activity. As shown in Figure 2, the threat actor used vmconnect.exe to attempt to connect to their newly created VM, named "New Virtual Machine."


Figure 2. Adversary's use of vmconnect.exe. (Source: SecureWorks)
click to enlarge

CTU researchers immediately reported this activity to the client and requested the system's Windows Event Log files for analysis. The client extracted the files with wevtutil.exe, a native command-line Windows utility used to manage Windows Event Logs. Table 1 lists the observed events from July 28, 2016.

Time (UTC) Event Source/ID Description
12:50:06 Microsoft-Windows-Sysmon/1 Process started (mmc.exe virtmgmt.msc)
12:50:44 Microsoft-Windows-Hyper-V-VMMS/13002 New VM created
Microsoft-Windows-Security-Auditing/4648 New logon attempt using explicit credentials
Microsoft-Windows-Sysmon/6 Drivers loaded (vhdmp.sys, fsdepends.sys)
12:50:45 Microsoft-Windows-Hyper-V-VMMS/27311 New VM created
12:50:56 Microsoft-Windows-Sysmon/1 Process started (vmconnect.exe)
12:51:01 Microsoft-Windows-Hyper-V-VMMS/20144 VM failed to start
Microsoft-Windows-Hyper-V-VMMS/15130 VM failed to start
12:51:08 Microsoft-Windows-Sysmon/5 Process terminated (vmconnect.exe)
12:51:14 Microsoft-Windows-Hyper-V-VMMS/13003 VM deleted
12:51:57 Microsoft-Windows-Sysmon/5

Process terminated (mmc.exe)

Table 1. Event Log activity for July 28, 2016.

The events show the adversary using the MMC to create and attempt to launch a new VM. When the new VM did not start, the threat actor deleted it. The system that the adversary had compromised was itself a VM and therefore could not launch a new one.

These actions illustrate the lengths a threat actor will go to mask their activities and avoid detection. The client's infrastructure was instrumented with both Red Cloak and Microsoft's Sysmon utility; however, the newly created VM had neither technology installed. If the adversary had successfully launched the VM, they could have used it to conduct their activity. Deleting the VM after they were done would have removed all indicators of their actions.



ABOUT THE AUTHOR
COUNTER THREAT UNIT RESEARCH TEAM

The Secureworks Counter Threat Unit™ (CTU) is a dedicated threat research team that analyzes threat data across our global customer base and actively monitors the threat landscape.
Back to all Blogs

GET THE LATEST SECURITY UPDATES

Thank you for your submission.

Try Taegis Today

Request a demo to see how Taegis can reduce your risk, optimize your existing security investments, and fill your talent gaps.