.. /qm

Star

qm (QEMU Machine) is the primary command-line tool for managing QEMU/KVM virtual machines in Proxmox VE. It provides comprehensive VM lifecycle management including creation, modification, snapshotting, and guest agent interaction. Adversaries can abuse qm for lateral movement via guest agent commands, data exfiltration through snapshots, and VM manipulation for impact.

Paths

• /usr/sbin/qm

Resources

• https://pve.proxmox.com/pve-docs/qm.1.html
• https://pve.proxmox.com/wiki/Qemu/KVM_Virtual_Machines
• https://pve.proxmox.com/wiki/Qemu-guest-agent

Detection

• Monitor /var/log/pve/tasks/* for qm guest exec commands
• Watch for unusual snapshot creation patterns
• Alert on mass VM operations (stop/destroy)

Acknowledgements

• ZephrFish

Discovery

1. Lists all QEMU virtual machines on the current node with their VMID, name, status, memory, and boot disk.

   qm list

   Use Case Enumerate all VMs on a node to identify targets for lateral movement or ransomware deployment.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • qm list

   • qm list | grep running

   ATT&CK Technique T1082

2. Display full configuration of a VM including hardware, network, and storage settings.

   qm config {vmid}

   Use Case Reconnaissance to understand VM configuration, identify attached networks, and find storage locations.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • qm config 100

   • qm config 100 --current

   ATT&CK Technique T1082

3. List all snapshots for a VM showing the snapshot tree.

   qm listsnapshot {vmid}

   Use Case Identify existing snapshots that may contain older credentials or sensitive data.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1082

4. Display the full QEMU command line used to start a VM.

   qm showcmd {vmid}

   Use Case Reveal sensitive configuration including VNC passwords, disk paths, and network configuration.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1082

5. Ping the QEMU guest agent to verify it's responsive.

   qm agent {vmid} ping

   Use Case Identify VMs with guest agent enabled for potential lateral movement.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • for vm in $(qm list | awk 'NR>1 && $3=="running" {print $1}'); do echo -n "VM $vm: "; qm agent $vm ping 2>&1; done

   ATT&CK Technique T1082

Execution

1. Execute arbitrary commands inside a running VM through the QEMU guest agent.

   qm guest exec {vmid} -- /bin/bash -c "command"

   Use Case Lateral movement by executing commands on guest VMs without network authentication. Can be used to deploy payloads, harvest credentials, or pivot through the infrastructure.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • qm guest exec 102 -- cat /etc/shadow

   • qm guest exec 102 -- /bin/bash -c "whoami && id"

   • qm guest exec 103 -- powershell.exe -Command "Get-Process"

   ATT&CK Technique T1059

   Tags

   Lateral MovementGuest Agent AbuseCredential Access

2. Write files to a guest VM through the QEMU guest agent using base64-encoded content.

   qm guest cmd {vmid} file-write /path/to/file base64content

   Use Case Deploy malware, backdoors, or persistence mechanisms to guest VMs without network access.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • qm guest cmd 102 file-write /tmp/payload.sh $(base64 -w0 payload.sh)

   ATT&CK Technique T1105

3. Access the QEMU monitor interface for low-level VM control.

   qm monitor {vmid}

   Use Case Direct QEMU monitor access enables advanced operations like memory dumping, device manipulation, and debugging.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • qm monitor 100

   • echo "info status" | qm monitor 100

   ATT&CK Technique T1059

Collection

1. Read files directly from a guest VM through the QEMU guest agent.

   qm guest cmd {vmid} file-read /path/to/file

   Use Case Exfiltrate sensitive files like credentials, configurations, or data without network access.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • qm guest cmd 102 file-read /etc/passwd

   • qm guest cmd 103 file-read "C:\Windows\System32\config\SAM"

   ATT&CK Technique T1005

2. Create a snapshot of a VM preserving its current state including memory.

   qm snapshot {vmid} {snapname}

   Use Case Snapshot VMs before deploying ransomware for rollback capabilities, or snapshot targets for offline disk analysis.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • qm snapshot 100 pre-attack

   • qm snapshot 100 backup --vmstate

   ATT&CK Technique T1074.001

Impact

1. Stop a running virtual machine (ungraceful shutdown).

   qm stop {vmid}

   Use Case Impact by forcefully shutting down critical VMs to cause denial of service.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • qm stop 100

   • for vm in $(qm list | awk 'NR>1 {print $1}'); do qm stop $vm; done

   ATT&CK Technique T1529

2. Permanently destroy a VM and all its data.

   qm destroy {vmid}

   Use Case Destructive impact by permanently deleting VMs and their data.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • qm destroy 100 --purge

   ATT&CK Technique T1485

Credential Access

1. Dump the cloud-init user-data configuration for a VM.

   qm cloudinit dump {vmid} user

   Use Case Extract credentials, SSH keys, and configuration secrets from cloud-init templates.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • qm cloudinit dump 100 user

   • qm cloudinit dump 100 network

   ATT&CK Technique T1552.001