In this talk we will explore usage of virtual machines for lateral movement. There are multiple reasons why you should add this technique to your red teaming knowledge-base and skill set. We also highlight how we can build better detections for catching VM misuse.
A Shadowbunny is basically a virtual machine (VM) instance that is deployed by an adversary on a target host to pivot and provide persistence and at the same time evade detection. During red teaming operations the Shadowbunny technique has been used by the presenter multiple teams over the last couple of years. The VM itself does not have any security monitoring and is entirely attacker controlled.
Recently real world malware, like Rangar Locker Ransomware has been seen to use virtual machines (VirtualBox) to hide its tracks. So it is important that we start discussing and researching these attacks more to build better defenses and detections.