Portable Hypervisors

The subject uses a portable hypervisor to launch a virtual machine from removable media or user-space directories, enabling covert execution of tools, data staging, or operational activities. These hypervisors can run without installation, system-wide configuration changes, or elevated privileges, bypassing standard application control, endpoint detection, and logging.

Portable hypervisors are often used to:

• Run a fully isolated virtual environment on a corporate system without administrator rights.
• Avoid persistent installation footprints in the Windows registry, program files, or audit logs.
• Stage and execute sensitive operations inside a contained guest OS, shielded from host-level EDR tools.
• Exfiltrate or decrypt data using tools embedded in the VM image without writing them to disk.
• Destroy or remove evidence simply by ejecting the device or deleting the VM directory.

Example Scenarios:

• The subject carries a USB stick containing QEMU or VMware Workstation Player Portable, along with a pre-configured Linux VM that includes recon and exfiltration tools. They plug it into a shared workstation, launch the VM in user space, and remove the stick after completing the session.
• A portable VirtualBox distribution is run from an unmonitored folder in the user's home directory. Inside the VM, the subject transfers staged data, compresses it, and initiates covert upload via proxy-aware tools, leaving no trace on the host system.
• The subject uses an encrypted external SSD with VMware ThinApp to run virtualized applications (e.g., password extractors, tunneling tools) without installation or triggering AV signatures on the host.