Skip to content

Latest commit

 

History

History
46 lines (25 loc) · 1.79 KB

T1062.md

File metadata and controls

46 lines (25 loc) · 1.79 KB

T1062 - Hypervisor

A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with [Rootkit](https://attack.mitre.org/techniques/T1014) functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption.

Atomic Tests


Atomic Test #1 - Installing Hyper-V Feature

PowerShell command to check if Hyper-v is installed. Install Hyper-V feature. Create a New-VM

Upon successful execution, powershell will check if Hyper-V is installed, if not, install it and create a base vm. Output will be via stdout.

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
hostname Host to query to see if Hyper-V feature is installed. string test-vm
vm_name Create a new VM. string testvm
file_location Location of new VHDX file string C:\Temp\test.vhdx

Attack Commands: Run with powershell!

Get-WindowsFeature -Name Hyper-V -ComputerName #{hostname}
Install-WindowsFeature -Name Hyper-V -ComputerName #{hostname} -IncludeManagementTools
New-VM -Name #{vm_name} -MemoryStartupBytes 1GB -NewVHDPath #{file_location} -NewVHDSizeBytes 21474836480