Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0573: Analytic 0573

Detects attempts to enumerate VMs via hypervisor tools like `virsh`, `VBoxManage`, or `qemu-img`. Defender correlates suspicious command invocations with parent process lineage and unexpected users.

EnterpriseAN0573AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic matters because Linux hypervisor management tools can reveal what virtual machines exist on a host. For executives and security leaders, the practical risk is loss of visibility into who is inspecting virtualization assets and whether that activity is part of normal administration, incident response, or suspicious discovery. The value is not the tool names alone, but whether the organization can distinguish approved hypervisor administration from unexpected enumeration by unusual users or process chains.

Executive priority

Prioritize this as a visibility and control-validation item for Linux virtualization environments. Leaders should ask whether SOC teams collect command execution, user, and parent-process context from hypervisor hosts; whether approved administrators and service accounts are documented; and whether incidents involving virtualization infrastructure can be triaged quickly. This supports operational resilience, audit evidence for privileged activity monitoring, and incident decision-making around systems that may host business-critical workloads.

Technical view

AN0573 is a Linux detection analytic for attempts to enumerate VMs using hypervisor-related tools such as virsh, VBoxManage, or qemu-img. Since the official detection logic is not provided, teams should implement or validate monitoring around suspicious command invocations, parent process lineage, and unexpected users. Triage should compare observed activity against known hypervisor administration workflows, scheduled automation, maintenance windows, and authorized accounts. No ATT&CK tactic or relationship context was supplied, so the analytic should be treated as a focused behavioral signal rather than mapped to a broader campaign or technique chain from the provided data alone.

Likely telemetry

  • Linux process creation events with command-line arguments
  • Parent and child process lineage
  • User and effective user context for command execution
  • Host identity and role, especially Linux systems used for virtualization or hypervisor management
  • Authentication or session context where available

Detection direction

  • Validate that process execution telemetry is collected from relevant Linux hypervisor or virtualization management hosts.
  • Alert or hunt for invocations of hypervisor tools such as virsh, VBoxManage, or qemu-img when used by unexpected users or launched from unusual parent processes.
  • Tune against known administrative baselines, including approved virtualization administrators, maintenance scripts, backup workflows, and inventory tooling.
  • Review parent process lineage to separate interactive shell use, automation, and potentially suspicious execution paths.
  • Document blind spots where command-line arguments, parent process data, or user attribution are missing, because those fields are central to the analytic as described.

Mitigation priorities

  • Maintain an inventory of Linux systems that run or manage virtualization tooling.
  • Restrict hypervisor management tool access to authorized administrators and service accounts.
  • Define and periodically review approved users, groups, and automation paths for VM enumeration activities.
  • Ensure endpoint or system logging captures process command line, parent process, and user context on relevant Linux hosts.
  • Use detection tuning and incident runbooks to distinguish normal administration from unexpected enumeration.
Analyst notes and limits

The supplied object is a detection analytic, not a full ATT&CK technique entry. Its decision value is strongest where Linux virtualization infrastructure is in scope and where VM inventory visibility is sensitive to operations or incident response. Glexia would use this analytic to validate whether managed detection, IR readiness, and privileged activity monitoring can answer: who enumerated VMs, from where, using what tool, and whether that behavior was expected.

The official detection field is not provided, tactics are not specified, and no relationship context was supplied. This take does not infer attribution, active exploitation, impact, or coverage beyond the stated Linux platform and described command-invocation behavior. Local baselines, asset roles, and telemetry quality are required to determine severity and reduce false positives.

Official MITRE ATT&CK definition

Analytic 0573

Detects attempts to enumerate VMs via hypervisor tools like `virsh`, `VBoxManage`, or `qemu-img`. Defender correlates suspicious command invocations with parent process lineage and unexpected users.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
681c710fc238bd8f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 681c710fc238…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0573
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use