Check Qemu Description

Hunt Hypothesis

The Check Qemu Description rule detects potential use of virtualization software by identifying suspicious QEMU-related descriptions in system artifacts, which may indicate adversary use of virtual environments to evade detection. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential evasion tactics used by adversaries operating in virtualized environments.

YARA Rule

rule Check_Qemu_Description
{
	meta:
		Author = "Nick Hoffman"
		Description = "Checks for QEMU systembiosversion key"
		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
	strings:
		$key = "HARDWARE\\Description\\System" nocase wide ascii
		$value = "SystemBiosVersion" nocase wide ascii
		$data = "QEMU" wide nocase ascii
	condition:
		all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Virtual Machine Configuration Backup via virt-xml
  Description: A system administrator uses virt-xml to export virtual machine configurations, which may include QEMU-related metadata.
  Filter/Exclusion: Exclude processes where the command line includes virt-xml or virsh.

• Scenario: Scheduled Job for QEMU Image Conversion using qemu-img
  Description: A scheduled job runs qemu-img to convert virtual disk images between formats (e.g., VDI to VMDK), which may trigger the QEMU description check.
  Filter/Exclusion: Exclude processes where the command line includes qemu-img or convert.

• Scenario: System Update with QEMU Package Installation
  Description: A package manager (e.g., yum, apt, dnf) installs or updates QEMU-related packages, which may include metadata matching the YARA rule.
  Filter/Exclusion: Exclude processes where the command line includes yum, apt, or dnf and the package name contains qemu.

• Scenario: Security Tool Analysis of QEMU Binaries
  Description: A security tool (e.g., ClamAV, Sophos, Maltego) analyzes QEMU binaries for malware, which may match the QEMU description rule.
  Filter/Exclusion: Exclude processes where the command line includes clamscan, sophos-antivirus, or maltego.

• Scenario: DevOps Pipeline Using QEMU for Testing
  Description: A CI/CD pipeline (e.g., Jenkins, GitLab CI) uses QEMU to run containerized tests, which may trigger the rule due to QEMU-related strings.
  Filter/Exclusion: Exclude processes where the command line includes jenkins,