Register to stream ATT&CKcon 2.0 October 29-30


A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. [1] It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. [2] A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system. [3] A malicious hypervisor of this nature could be used to persist on systems through interruption.

ID: T1062
Tactic: Persistence
Platform: Windows
Permissions Required: Administrator, SYSTEM
Data Sources: System calls
Version: 1.0


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


Type-1 hypervisors may be detected by performing timing analysis. Hypervisors emulate certain CPU instructions that would normally be executed by the hardware. If an instruction takes orders of magnitude longer to execute than normal on a system that should not contain a hypervisor, one may be present. [4]