Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0910: Analytic 0910

Execution of QEMU, KVM, or VirtualBox processes with unusual flags (e.g., '-nographic', '-snapshot'). File creation of VM images in atypical directories. Defender view: monitoring audit logs for process executions and file modifications linked to hidden virtualization.

EnterpriseAN0910AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic is about spotting potentially hidden virtualization activity on Linux, such as QEMU, KVM, or VirtualBox being run with unusual flags or VM image files being created in unexpected directories. For leaders, the practical value is not that virtualization is bad by itself, but that unapproved or concealed virtual machines can create blind spots for monitoring, asset governance, incident scoping, and compliance evidence.

Executive priority

Treat this as a control-validation opportunity for Linux environments: can the organization identify when virtualization tooling is used outside approved administrative or development workflows? The business risk is unmanaged compute activity that may evade normal endpoint visibility, complicate incident response, and weaken audit confidence around asset inventory and change control. Priority should be higher where Linux systems support sensitive workloads, privileged administration, regulated data, or operationally important services.

Technical view

SOC and detection teams should validate Linux telemetry for process execution involving QEMU, KVM, or VirtualBox and arguments such as '-nographic' or '-snapshot', along with file creation of VM image artifacts in atypical directories. Because the ATT&CK object provides no tactic mapping, no relationship context, and no formal detection logic, this should be implemented as an environment-tuned behavior analytic rather than a standalone high-confidence alert. Baseline expected virtualization usage by administrators, CI/CD, engineering labs, and approved host platforms before escalating.

Likely telemetry

  • Linux process execution telemetry including process name, command-line arguments, parent process, user, working directory, and timestamp
  • Linux audit logs covering process execution and file modification events
  • File creation and modification events for VM image files, especially outside approved virtualization storage paths
  • Host inventory or software inventory showing installed QEMU, KVM, or VirtualBox components
  • User and privilege context for accounts launching virtualization processes

Detection direction

  • Confirm that Linux audit or endpoint telemetry captures full command-line arguments for QEMU, KVM, and VirtualBox-related processes.
  • Tune for unusual flags referenced by the analytic, including '-nographic' and '-snapshot', while allowing for documented administrative, lab, or automation use cases.
  • Identify approved directories for VM images and alert on image creation in atypical locations relative to the local environment.
  • Correlate process execution with parent process, user role, host purpose, and recent file modifications to reduce false positives from legitimate virtualization workflows.
  • Document blind spots where Linux hosts lack audit coverage, command-line capture, or file modification telemetry.

Mitigation priorities

  • Establish and maintain an approved-use policy for virtualization tooling on Linux systems.
  • Limit installation and execution of virtualization software to authorized users and hosts where business need exists.
  • Define approved storage locations for VM images and monitor deviations through file integrity or audit logging controls.
  • Include virtualization tooling and VM image paths in asset inventory, change management, and incident response collection plans.
  • Use detection findings to improve Linux logging coverage before relying on this analytic for operational alerting.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for Linux focused on hidden virtualization indicators: execution of QEMU, KVM, or VirtualBox with unusual flags and VM image creation in atypical directories. No tactics, relationships, aliases, labels, or official detection logic were supplied, so this take emphasizes validation, baselining, and control assurance rather than threat attribution or confirmed malicious behavior.

This assessment is limited to the supplied STIX fields and external reference. It does not establish active exploitation, adversary use, impact, or complete detection coverage. Local baselines are required because virtualization activity can be legitimate in engineering, administrative, testing, and automation contexts.

Official MITRE ATT&CK definition

Analytic 0910

Execution of QEMU, KVM, or VirtualBox processes with unusual flags (e.g., '-nographic', '-snapshot'). File creation of VM images in atypical directories. Defender view: monitoring audit logs for process executions and file modifications linked to hidden virtualization.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fb25bf52a36a7e36...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fb25bf52a36a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0910
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use