Potentially Suspicious Usage Of Qemu - Virtual Machine Created With Very Low RAM Size

Rule Info

Name
Potentially Suspicious Usage Of Qemu - Virtual Machine Created With Very Low RAM Size
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects potentially suspicious execution of the Qemu utility in a Windows environment where the allocated size for the Virtual Machine is very low. This could be a sign of abuse as shown by threat actors that have leveraged this utility and this technique for achieving network access as reported by Kaspersky.
Reference
https://securelist.com/network-tunneling-with-qemu/111803/
Date
2024-06-04 00:00:00
Modified
None
Id
53fab9d4-fb29-4bdf-99b5-376a5886a589
Tags
attack.command_and_control attack.t1090 attack.t1572
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022