some legitimate virtual machine setups or automated testing environments may run qemu with the -nographic flag. review and whitelist approved systems to reduce false alerts.

Techniques

Sample rules

Windows Suspicious QEMU Execution

source: splunk
technicques:
- T1204.002
- T1001
- T1036
- T1564.006

Description

Detects execution of the QEMU binary and an image file with the -nographic flag. This causes it to run in the background without any display. This has been observed as a persistence and initial access technique by some threat actors to install a rogue linux virtual machine

Detection logic

`sysmon`
EventID=1
CommandLine="*-nographic*"
CommandLine="*.img*"
(
    Description="*QEMU machine*"
    OR
    Product="QEMU"
    OR
    Company="*qemu*"
)

| fillnull

| stats count min(_time) as firstTime
              max(_time) as lastTime
  by Computer EventID CommandLine Description Product Company action dest
     original_file_name parent_process parent_process_exec parent_process_guid
     parent_process_id parent_process_name parent_process_path process_hash
     process_integrity_level user user_id vendor_product


| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `windows_suspicious_qemu_execution_filter`