Potential Traffic Tunneling using QEMU

Status: production
Severity: medium
Time window: 9m
Author: Elastic
Source: github.com/elastic/detection-rules

Identifies the use of the QEMU hardware emulator to potentially tunnel network traffic between Virtual machines. This can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1090` Proxy, `T1219` Remote Access Tools, `T1572` Protocol Tunneling

Rule body elastic

[metadata]
creation_date = "2026/02/09"
integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
maturity = "production"
updated_date = "2026/04/07"

[rule]
author = ["Elastic"]
description = """
Identifies the use of the QEMU hardware emulator to potentially tunnel network traffic between Virtual machines. This
can be used by attackers to enable routing of network packets that would otherwise not reach their intended destination.
"""
from = "now-9m"
index = [
    "endgame-*",
    "logs-crowdstrike.fdr*",
    "logs-endpoint.events.process-*",
    "logs-m365_defender.event-*",
    "logs-sentinel_one_cloud_funnel.*",
    "logs-system.security*",
    "logs-windows.sysmon_operational-*",
    "winlogbeat-*",
    "auditbeat-*"
]
language = "eql"
license = "Elastic License v2"
name = "Potential Traffic Tunneling using QEMU"
note = """## Triage and analysis

> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

### Investigating Potential Traffic Tunneling using QEMU

QEMU is a legitimate virtualization and emulation platform used for system testing and development. However, its advanced networking features can be abused to tunnel network traffic, forward ports, and create covert communication channels between systems. The detection rule identifies suspicious QEMU executions using networking-related arguments that are commonly associated with traffic forwarding and tunneling behavior.

### Possible investigation steps

- Review the process command line for the presence of networking arguments such as `-netdev`, `hostfwd=`, `connect=`, `restrict=off`, and `-nographic`.
- Confirm whether QEMU is legitimately installed and expected to run on the affected system.
- Check the parent process to determine how QEMU was launched and whether the execution chain appears suspicious.
- Investigate the user account and host context to assess whether virtualization activity is normal for that environment.
- Analyze related network activity for signs of traffic forwarding, tunneling, or unauthorized external connections.
- Correlate the event with other telemetry (process creation, persistence mechanisms, or VM artifacts) for additional context.

### False positive analysis

- Legitimate developer or research environments using QEMU for virtualization and testing may trigger this rule.
- Approved lab systems, malware analysis sandboxes, or CI/CD pipelines may use similar networking configurations.
- Internal training or testing environments may generate similar activity.

### Response and remediation

- Isolate the affected system and terminate unauthorized QEMU processes.
- Investigate for signs of lateral movement or command-and-control activity.
- Remove unauthorized VM images, configurations, and persistence mechanisms.
- Rotate credentials and assess scope of impact if tunneling activity is confirmed.
- Escalate to the SOC or incident response team for further investigation."""
references = [
    "https://securelist.com/network-tunneling-with-qemu/111803/",
    "https://blog.xpnsec.com/bring-your-own-vm-mac-edition/",
    "https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399"
]
risk_score = 47
rule_id = "b29b7652-219f-468b-aa1f-5da7bcc24b03"
severity = "medium"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "OS: Linux",
    "OS: macOS",
    "Use Case: Threat Detection",
    "Tactic: Command and Control",
    "Data Source: Elastic Endgame",
    "Data Source: Elastic Defend",
    "Data Source: Sysmon",
    "Data Source: SentinelOne",
    "Data Source: Microsoft Defender XDR",
    "Data Source: Windows Security Event Logs",
    "Data Source: Crowdstrike",
    "Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where event.type == "start" and
 process.args : "-netdev" and
 (
  (process.args : "-nographic" and process.command_line : "*connect=*" and process.command_line : "*restrict=off*") or
   process.command_line : "*hostfwd=*"
 )
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1090"
name = "Proxy"
reference = "https://attack.mitre.org/techniques/T1090/"

[[rule.threat.technique]]
id = "T1219"
name = "Remote Access Tools"
reference = "https://attack.mitre.org/techniques/T1219/"

[[rule.threat.technique]]
id = "T1572"
name = "Protocol Tunneling"
reference = "https://attack.mitre.org/techniques/T1572/"

[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"

Stages and Predicates

Stage 1: `process`

process where event.type == "start" and
 process.args : "-netdev" and
 (
  (process.args : "-nographic" and process.command_line : "*connect=*" and process.command_line : "*restrict=off*") or
   process.command_line : "*hostfwd=*"
 )

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`event.type`	eq	`start` corpus 606 (elastic 606)
`process.args`	wildcard	`-netdev` `-nographic`
`process.command_line`	wildcard	`connect=` corpus 2 (sigma 1, elastic 1) `hostfwd=` `restrict=off` corpus 2 (sigma 1, elastic 1)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Potential Traffic Tunneling using QEMU

MITRE ATT&CK coverage

Rule body elastic

Stages and Predicates

Stage 1: `process`

Indicators

Keyboard shortcuts

Search operators

Potential Traffic Tunneling using QEMU

MITRE ATT&CK coverage

Rule body elastic

Stages and Predicates

Stage 1: process

Indicators

Stage 1: `process`