Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Potentially Suspicious Usage Of Qemu

Detects potentially suspicious execution of the Qemu utility in a Windows environment. Threat actors have leveraged this utility and this technique for achieving network access as reported by Kaspersky.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Muhammad Faisal, Hunter JuhanCreated Mon Jun 035fc297ae-25b6-488a-8f25-cc12ac29b744windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        CommandLine|contains:
            - '-m 1M' # VM with just 1MB of ram is insufficient this is a suspicious flag
            - '-m 2M'
            - '-m 3M'
        CommandLine|contains|all:
            - 'restrict=off'
            - '-netdev '
            - 'connect='
            - '-nographic' # This is also a key detection no one invoke without UI from console usually its a flag.
    filter_main_normal_usecase:
        CommandLine|contains:
            - ' -cdrom ' # Normal usage cases
            - ' type=virt '
            - ' -blockdev '
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
securelist.com
2
Resolving title…
qemu.org
MITRE ATT&CK
Rule Metadata
Rule ID
5fc297ae-25b6-488a-8f25-cc12ac29b744
Status
test
Level
medium
Type
Detection
Created
Mon Jun 03
Author
Muhammad Faisal, Hunter Juhan
Path
rules/windows/process_creation/proc_creation_win_qemu_suspicious_execution.yml
Raw Tags
attack.command-and-controlattack.t1090attack.t1572
View on GitHub