Is it possible? And can such a rogue vm be hidden from the filesystem & endpoint security products detection?
I would say that it is theoretically possible if an existing VM has been established based on this Spiceworks discussion: They won't need admin access because there will be VM software installed for them to run their one required VM. Local administrator access is not required to create additional VMs after the software required to run the first one is installed. Ref.: https://community.spiceworks.com/topic/1080483-can-virtual-machines-be-detected-blocked-on-network