Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0575: Analytic 0575

Detects VM enumeration attempts using virtualization utilities such as VirtualBox (`VBoxManage`) or Parallels CLI. Defender observes abnormal invocation of VM listing commands correlated with non-admin users or unusual parent processes.

EnterpriseAN0575AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

This analytic is about spotting suspicious virtual machine enumeration on macOS, especially use of virtualization command-line utilities such as VirtualBox VBoxManage or Parallels CLI to list VMs. For leaders, the value is not the command itself; it is whether the organization can see when non-admin users or unusual parent processes are probing local virtualization assets, which may matter in developer, engineering, lab, or administrative environments where VMs support business operations.

Executive priority

Prioritize this where macOS systems run VirtualBox or Parallels and where local VMs are used for development, testing, operations, or sensitive workflows. The key governance question is whether SOC and incident response teams have enough macOS endpoint telemetry to distinguish expected VM administration from abnormal enumeration by non-admin users or unexpected process chains. This can support operational resilience, audit evidence for endpoint monitoring, and faster incident scoping when virtualization assets are involved.

Technical view

Validate coverage on macOS endpoints for process execution involving virtualization utilities, particularly VM listing activity from VBoxManage or Parallels CLI. The supplied analytic emphasizes correlation with non-admin users and unusual parent processes, so detection engineering should baseline legitimate administrator, developer, and automation usage before alerting broadly. Because no ATT&CK tactic or relationship context is supplied, treat this as a focused detection analytic rather than a complete behavior chain.

Likely telemetry

  • macOS process execution events including command line arguments
  • User and privilege context for the invoking account, including admin versus non-admin status
  • Parent and child process relationships for virtualization utility execution
  • Endpoint inventory showing where VirtualBox or Parallels tooling is installed
  • Historical baseline of expected VM administration activity by users, hosts, and automation

Detection direction

  • Alert or hunt for VBoxManage or Parallels CLI invocations that enumerate VMs, especially from non-admin users.
  • Correlate command execution with parent process context; unusual parents should receive higher review priority than known terminal, management, or automation workflows after local baselining.
  • Tune out expected VM administration by authorized administrators, developers, and approved scripts to reduce false positives.
  • Confirm macOS endpoint telemetry captures full command line and parent process data; without those fields, this analytic may be difficult to validate.
  • Use endpoint inventory to scope detection to systems where the relevant virtualization utilities exist, while retaining awareness that missing inventory may create blind spots.

Mitigation priorities

  • Establish an approved-use baseline for local virtualization tools on macOS systems.
  • Limit VM administration capabilities to authorized users and managed workflows where business operations permit.
  • Ensure endpoint monitoring collects process command line, user context, and parent process data on macOS.
  • Review unusual virtualization utility usage during incident triage, especially when performed by non-admin users or unexpected processes.
  • Document expected virtualization administration activity as compliance and SOC tuning evidence.
Analyst notes and limits

The official object is a detection analytic, not a full technique description. It specifies macOS and VM enumeration via VirtualBox or Parallels CLI, with emphasis on abnormal invocation correlated with non-admin users or unusual parent processes. No tactic, relationship context, or official detection logic was supplied, so local baselining is essential.

This take is limited to the supplied ATT&CK fields. It does not establish adversary attribution, active exploitation, impact, or guaranteed detection. Coverage depends on whether the environment uses these virtualization tools and whether macOS endpoint telemetry includes complete process, command line, user privilege, and parent process data.

Official MITRE ATT&CK definition

Analytic 0575

Detects VM enumeration attempts using virtualization utilities such as VirtualBox (`VBoxManage`) or Parallels CLI. Defender observes abnormal invocation of VM listing commands correlated with non-admin users or unusual parent processes.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
5ed4e2548b3140e5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 5ed4e2548b31…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0575
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use