AN0574: Analytic 0574
Detects enumeration of VMs using PowerShell (`Get-VM`), VMware Workstation (`vmrun.exe`), or Hyper-V (`VBoxManage.exe`). Defender observes suspicious command lines executed by unexpected users or outside normal administrative sessions.
Analyst context for executives and security teams
AN0574 is a Windows detection analytic focused on suspicious virtual machine enumeration through command-line tooling such as PowerShell Get-VM, vmrun.exe, and VBoxManage.exe. For security leaders, the practical issue is not the commands themselves—administrators may legitimately inventory VMs—but whether this activity is happening by unexpected users, from unusual hosts, or outside approved administrative sessions. That distinction matters because VM inventory visibility can inform later targeting, incident scoping, and operational risk decisions in environments that rely on virtualization.
Executive priority
Prioritize this analytic where Windows endpoints or administrator workstations can manage virtualization assets. Leaders should ask whether VM management activity is logged, attributable to named users, and distinguishable from approved admin workflows. This can support SOC readiness, incident response scoping, privileged access governance, and audit evidence around who can enumerate virtual infrastructure. Because the ATT&CK object provides no tactic, relationship, or impact context, treat this as a coverage validation item rather than proof of a specific threat campaign or business impact.
Technical view
SOC and detection teams should validate whether Windows process execution telemetry captures command lines for Get-VM, vmrun.exe, and VBoxManage.exe, with user, host, parent process, session context, and timestamp. The analytic is centered on identifying suspicious command lines executed by unexpected users or outside normal administrative sessions. Tuning should therefore compare observed activity against known virtualization administrators, management hosts, scheduled inventory jobs, and approved maintenance windows. No official detection logic is provided, so local baselining is required.
Likely telemetry
- Windows process creation events with full command line
- PowerShell execution telemetry showing Get-VM usage
- User and logon/session context for the executing account
- Parent process and originating host information
- Administrative session, jump host, or management workstation records
Detection direction
- Confirm collection of command-line process telemetry on Windows systems where virtualization tools may be used.
- Baseline legitimate VM enumeration by approved administrators, automation accounts, management hosts, and scheduled tasks.
- Alert on VM enumeration commands by non-administrative or unexpected users, from unusual endpoints, or outside normal administrative sessions.
- Tune carefully for false positives from routine inventory, backup, virtualization administration, and asset management workflows.
- Because no ATT&CK relationship context or tactic is supplied, avoid over-classifying alerts; use this analytic as an investigation lead requiring corroborating evidence.
Mitigation priorities
- Define and document approved users, hosts, and sessions for virtualization administration.
- Restrict VM management tooling access to authorized administrators and managed workstations where feasible.
- Ensure privileged access workflows and logging make VM enumeration attributable to individual users or approved service accounts.
- Maintain audit evidence for expected VM inventory activity to help SOC teams separate normal administration from suspicious use.
- Review endpoint logging coverage before relying on this analytic for managed detection or compliance reporting.
Analyst notes and limits
This object is a detection analytic, not a technique. It applies to Windows and describes suspicious VM enumeration using specific tooling. The supplied ATT&CK fields include no tactic, no related techniques, and no official detection query, so implementation depends heavily on local telemetry quality and administrative baselines.
The source provides a short description only. It does not include detection logic, severity, data source mappings, relationships, adversary usage, or impact claims. Conclusions about maliciousness, exposure, or coverage require customer-specific evidence.
Analytic 0574
Detects enumeration of VMs using PowerShell (`Get-VM`), VMware Workstation (`vmrun.exe`), or Hyper-V (`VBoxManage.exe`). Defender observes suspicious command lines executed by unexpected users or outside normal administrative sessions.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 608e8e975d22… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN0574Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.