Check Qemu DeviceMap

Hunt Hypothesis

The Check Qemu DeviceMap rule detects potential emulator or virtualization artifacts that may indicate the use of QEMU to run malicious code in a sandboxed environment. SOC teams should proactively hunt for this behavior to identify and mitigate threats that may be evading traditional detection methods by leveraging virtualization-based evasion techniques.

YARA Rule

rule Check_Qemu_DeviceMap
{
	meta:
		Author = "Nick Hoffman"
		Description = "Checks for Qemu reg keys"
		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
	strings:
		$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" nocase wide ascii
		$value = "Identifier" nocase wide ascii
		$data = "QEMU" wide nocase ascii
	condition:
		all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: Virtual Machine Configuration Backup via virt-xml
  Description: A system administrator uses virt-xml to export the XML configuration of a KVM virtual machine, which includes the devices section with QEMU device mappings.
  Filter/Exclusion: Check for the presence of virt-xml in the command line or process tree, and exclude paths containing /etc/libvirt/ or /var/lib/libvirt/.

• Scenario: Scheduled Job for Disk Image Conversion using qemu-img
  Description: A scheduled job runs qemu-img convert to convert a virtual disk image from one format to another, which may temporarily include QEMU device map syntax in intermediate files.
  Filter/Exclusion: Exclude files or processes that match qemu-img in the command line, or filter out files in /var/lib/libvirt/images/ or /tmp/.

• Scenario: Systemd Unit File for QEMU Guest Agent
  Description: A systemd unit file for the QEMU Guest Agent includes configuration that resembles QEMU device map syntax, such as device definitions in the service file.
  Filter/Exclusion: Exclude files in /etc/systemd/system/ or /lib/systemd/system/ that contain qemu-ga or guest-agent in their names.

• Scenario: Ansible Playbook for VM Provisioning
  Description: An Ansible playbook provisions a virtual machine and includes a template with QEMU device map syntax as part of the VM configuration.
  Filter/Exclusion: Exclude files in /etc/ansible/ or /home/ansible/playbooks/ that contain qemu or device_map in their names.

• Scenario: Docker Container with QEMU Emulation
  Description: A Docker container running a QEMU-based emulator (e