A type-1 hypervisor is a software layer that sits between the guest operating systems and system's hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with Rootkit functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption.Detection: Type-1 hypervisors may be detected by performing timing analysis. Hypervisors emulate certain CPU instructions that would normally be executed by the hardware. If an instruction takes orders of magnitude longer to execute than normal on a system that should not contain a hypervisor, one may be present. (Citation: virtualization.info 2006)
Platforms: Windows
Data Sources: System calls
Permissions Required: Administrator, SYSTEM
PowerShell command to check if Hyper-v is installed . Install Hyper-V feature. Create a New-VM
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| hostname | Host to query to see if Hyper-V feature is installed. | string | test-vm |
| vm_name | Create a new VM. | string | testvm |
| file_location | Location of new VHDX file | string | C:\Temp\test.vhdx |
Get-WindowsFeature -Name Hyper-V -ComputerName #{hostname}
Install-WindowsFeature -Name Hyper-V -ComputerName #{hostname} -IncludeManagementTools
New-VM -Name #{vm_name} -MemoryStartupBytes 1GB -NewVHDPath #{file_location} -NewVHDSizeBytes 21474836480