Potential Traffic Tunneling using QEMU

  1[metadata]
  2creation_date = "2026/02/09"
  3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
  4maturity = "production"
  5updated_date = "2026/02/09"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the use of the QEMU hardware emulator to potentially tunnel network traffic between Virtual machines. This
 11can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
 12"""
 13from = "now-9m"
 14index = [
 15    "endgame-*",
 16    "logs-crowdstrike.fdr*",
 17    "logs-endpoint.events.process-*",
 18    "logs-m365_defender.event-*",
 19    "logs-sentinel_one_cloud_funnel.*",
 20    "logs-system.security*",
 21    "logs-windows.sysmon_operational-*",
 22    "winlogbeat-*",
 23    "auditbeat-*"
 24]
 25language = "eql"
 26license = "Elastic License v2"
 27name = "Potential Traffic Tunneling using QEMU"
 28note = """## Triage and analysis
 29
 30> **Disclaimer**:
 31> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 32
 33### Investigating Potential Traffic Tunneling using QEMU
 34
 35QEMU is a legitimate virtualization and emulation platform used for system testing and development. However, its advanced networking features can be abused to tunnel network traffic, forward ports, and create covert communication channels between systems. The detection rule identifies suspicious QEMU executions using networking-related arguments that are commonly associated with traffic forwarding and tunneling behavior.
 36
 37### Possible investigation steps
 38
 39- Review the process command line for the presence of networking arguments such as `-netdev`, `hostfwd=`, `connect=`, `restrict=off`, and `-nographic`.
 40- Confirm whether QEMU is legitimately installed and expected to run on the affected system.
 41- Check the parent process to determine how QEMU was launched and whether the execution chain appears suspicious.
 42- Investigate the user account and host context to assess whether virtualization activity is normal for that environment.
 43- Analyze related network activity for signs of traffic forwarding, tunneling, or unauthorized external connections.
 44- Correlate the event with other telemetry (process creation, persistence mechanisms, or VM artifacts) for additional context.
 45
 46### False positive analysis
 47
 48- Legitimate developer or research environments using QEMU for virtualization and testing may trigger this rule.
 49- Approved lab systems, malware analysis sandboxes, or CI/CD pipelines may use similar networking configurations.
 50- Internal training or testing environments may generate similar activity.
 51
 52### Response and remediation
 53
 54- Isolate the affected system and terminate unauthorized QEMU processes.
 55- Investigate for signs of lateral movement or command-and-control activity.
 56- Remove unauthorized VM images, configurations, and persistence mechanisms.
 57- Rotate credentials and assess scope of impact if tunneling activity is confirmed.
 58- Escalate to the SOC or incident response team for further investigation."""
 59references = [
 60    "https://securelist.com/network-tunneling-with-qemu/111803/",
 61    "https://blog.xpnsec.com/bring-your-own-vm-mac-edition/",
 62    "https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399"
 63]
 64risk_score = 47
 65rule_id = "b29b7652-219f-468b-aa1f-5da7bcc24b03"
 66severity = "medium"
 67tags = [
 68    "Domain: Endpoint",
 69    "OS: Windows",
 70    "OS: Linux",
 71    "OS: macOS",
 72    "Use Case: Threat Detection",
 73    "Tactic: Command and Control",
 74    "Data Source: Elastic Endgame",
 75    "Data Source: Elastic Defend",
 76    "Data Source: Sysmon",
 77    "Data Source: SentinelOne",
 78    "Data Source: Microsoft Defender for Endpoint",
 79    "Data Source: Windows Security Event Logs",
 80    "Data Source: Crowdstrike",
 81    "Resources: Investigation Guide",
 82]
 83timestamp_override = "event.ingested"
 84type = "eql"
 85
 86query = '''
 87process where event.type == "start" and
 88 process.args : "-netdev" and
 89 (
 90  (process.args : "-nographic" and process.command_line : "*connect=*" and process.command_line : "*restrict=off*") or
 91   process.command_line : "*hostfwd=*"
 92 )
 93'''
 94
 95
 96[[rule.threat]]
 97framework = "MITRE ATT&CK"
 98[[rule.threat.technique]]
 99id = "T1219"
100name = "Remote Access Tools"
101reference = "https://attack.mitre.org/techniques/T1219/"
102
103
104[rule.threat.tactic]
105id = "TA0011"
106name = "Command and Control"
107reference = "https://attack.mitre.org/tactics/TA0011/"