title: Detect Virtualbox Driver Installation OR Starting Of VMs
author: Janantha Marasinghe
date: 2020/09/26
description: Adversaries can carry out malicious operations using a virtual instance
  to avoid detection. This rule is built to detect the registration of the Virtualbox
  driver or start of a Virtualbox VM.
detection:
  SELECTION_1:
    EventID: 1
  SELECTION_2:
    CommandLine:
    - '*VBoxRT.dll,RTR3Init*'
    - '*VBoxC.dll*'
    - '*VBoxDrv.sys*'
  SELECTION_3:
    CommandLine:
    - '*startvm*'
    - '*controlvm*'
  condition: (SELECTION_1 and (SELECTION_2 or SELECTION_3))
falsepositives:
- This may have false positives on hosts where Virtualbox is legitimately being used
  for operations
fields:
- ComputerName
- User
- CommandLine
- ParentCommandLine
id: bab049ca-7471-4828-9024-38279a4c04da
level: low
logsource:
  category: process_creation
  product: windows
modified: 2021/06/27
references:
- https://attack.mitre.org/techniques/T1564/006/
- https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
- https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/
status: experimental
tags:
- attack.defense_evasion
- attack.t1564.006
- attack.t1564