Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Hypervisor

A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. [1] It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. [2] A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system. [3] A malicious hypervisor of this nature could be used to persist on systems through interruption.

ID: T1062

Tactic: Persistence

Platform:  Windows

Permissions Required:  Administrator, SYSTEM

Data Sources:  System calls

CAPEC ID:  CAPEC-552

Version: 1.0

Mitigation

Prevent adversary access to privileged accounts necessary to install a hypervisor.

Detection

Type-1 hypervisors may be detected by performing timing analysis. Hypervisors emulate certain CPU instructions that would normally be executed by the hardware. If an instruction takes orders of magnitude longer to execute than normal on a system that should not contain a hypervisor, one may be present. [4]

References