Hypervisor

From ATT&CK
Jump to: navigation, search
Hypervisor
Technique
ID T1062
Tactic Persistence
Platform Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1
Permissions Required Administrator, SYSTEM
Data Sources System calls
CAPEC ID CAPEC-552

A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware.1 It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen.2 A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system.3 A malicious hypervisor of this nature could be used to persist on systems through interruption.

Mitigation

Prevent adversary access to privileged accounts necessary to install a hypervisor.

Detection

Type-1 hypervisors may be detected by performing timing analysis. Hypervisors emulate certain CPU instructions that would normally be executed by the hardware. If an instruction takes orders of magnitude longer to execute than normal on a system that should not contain a hypervisor, one may be present.4