Approved

Live Discover Query - Virtual Devices

  REVIEWED by Sophos 

Depending on the role of the user or device it might be worth exploring those computers that are running a virtual machine.  This could be a computer on the network you don't have any visibility or control over that is being used by the end-user to work around control functionality.  It could be installed by a hacker on the inside to go unnoticed. See: https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ 

With that said, the following query could be used as a starting point:

select id.mac, id.description, id.manufacturer, id.service, id.dhcp_server, id.dns_host_name, ia.address as ipaddress
from interface_details as id
join interface_addresses as ia on ia.interface=id.interface
where id.description like '%VirtualBox%' or id.description like '%VMware%';

The output might look as follows for a machine running VMware Player and VirtualBox:

+-------------------+--------------------------------------------+--------------------+--------------+-----------------+---------------+---------------------------+
| mac               | description                                | manufacturer       | service      | dhcp_server     | dns_host_name | ipaddress                 |
+-------------------+--------------------------------------------+--------------------+--------------+-----------------+---------------+---------------------------+
| 0a:00:27:00:00:10 | VirtualBox Host-Only Ethernet Adapter      | Oracle Corporation | VBoxNetAdp   |                 | wobble        | fe80::d494:326f:1df3:3da2 |
| 0a:00:27:00:00:10 | VirtualBox Host-Only Ethernet Adapter      | Oracle Corporation | VBoxNetAdp   |                 | wobble        | 192.168.56.1              |
| 00:50:56:c0:00:01 | VMware Virtual Ethernet Adapter for VMnet1 | VMware, Inc.       | VMnetAdapter | 192.168.190.254 | wobble        | fe80::fccd:547b:5c87:4ec0 |
| 00:50:56:c0:00:01 | VMware Virtual Ethernet Adapter for VMnet1 | VMware, Inc.       | VMnetAdapter | 192.168.190.254 | wobble        | 192.168.190.1             |
| 00:50:56:c0:00:08 | VMware Virtual Ethernet Adapter for VMnet8 | VMware, Inc.       | VMnetAdapter | 192.168.118.254 | wobble        | fe80::8975:a405:2cc3:da15 |
| 00:50:56:c0:00:08 | VMware Virtual Ethernet Adapter for VMnet8 | VMware, Inc.       | VMnetAdapter | 192.168.118.254 | wobble        | 192.168.118.1             |
+-------------------+--------------------------------------------+--------------------+--------------+-----------------+---------------+---------------------------+

I've used the description in the where clause but a number of columns could be used here to potentially identify these network adapters.

Installed applications, registry, files, services, could also be used to ID such software but this is one example.

It may also be worth utilizing Application Control to block these virtualization tools if not needed:

Regards,

Jak