Description
Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the hypervisor itself and the guest virtual machines it hosts.
For example, on ESXi systems, tools such as esxcli and vim-cmd allow administrators to configure firewall rules and log forwarding on the hypervisor, list virtual machines, start and stop virtual machines, and more.(Citation: Broadcom ESXCLI Reference)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: LOLESXi) Adversaries may be able to leverage these tools in order to support further actions, such as File and Directory Discovery or Data Encrypted for Impact.
Reverse Shell Cheatsheet
Read our in-depth pentesting guide related to this technique
Platforms
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has used the esxcli command line utility to modify firewall rules, install malware, and for artifact ... |
Associated Software (3)
| ID | Name | Type | Context |
|---|---|---|---|
| S1096 | Cheerscrypt | Malware | Cheerscrypt has leveraged `esxcli` in order to terminate running virtual machines.(Citation: Trend Micro Cheerscrypt May 2022) |
| S1073 | Royal | Malware | Royal ransomware uses `esxcli` to gather a list of running VMs and terminate them.(Citation: Trend Micro Royal Linux ESXi February 2023) |
| S1218 | VIRTUALPIE | Malware | [VIRTUALPIE](https://attack.mitre.org/software/S1218) is capable of command line execution on compromised ESXi servers.(Citation: Google Cloud Threat ... |
Related CWE Weaknesses
References
- Broadcom. (n.d.). ESXCLI Reference. Retrieved March 27, 2025.
- Janantha Marasinghe. (n.d.). Living Off The Land ESXi. Retrieved April 14, 2025.
- Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.
Frequently Asked Questions
What is T1059.012 (Hypervisor CLI)?
T1059.012 is a MITRE ATT&CK technique named 'Hypervisor CLI'. It belongs to the Execution tactic(s). Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the hypervisor itsel...
How can T1059.012 be detected?
Detection of T1059.012 (Hypervisor CLI) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1059.012?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1059.012?
Known threat groups using T1059.012 include: UNC3886.