T1505.006: vSphere Installation Bundles

Description

Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management in VMware environments. Since ESXi uses an in-memory filesystem where changes made to most files are stored in RAM rather than in persistent storage, these modifications are lost after a reboot. However, VIBs can be used to create startup tasks, apply custom firewall rules, or deploy binaries that persist across reboots. Typically, administrators use VIBs for updates and system maintenance.

VIBs can be broken down into three components:(Citation: VMware VIBs)

VIB payload: a .vgz archive containing the directories and files to be created and executed on boot when the VIBs are loaded. Signature file: verifies the host acceptance level of a VIB, indicating what testing and validation has been done by VMware or its partners before publication of a VIB. By default, ESXi hosts require a minimum acceptance level of PartnerSupported for VIB installation, meaning the VIB is published by a trusted VMware partner. However, privileged users can change the default acceptance level using the esxcli command line interface. Additionally, VIBs are able to be installed regardless of acceptance level by using the esxcli software vib install --force command. * XML descriptor file: a configuration file containing associated VIB metadata, such as the name of the VIB and its dependencies.

Adversaries may leverage malicious VIB packages to maintain persistent access to ESXi hypervisors, allowing system changes to be executed upon each bootup of ESXi – such as using esxcli to enable firewall rules for backdoor traffic, creating listeners on hard coded ports, and executing backdoors.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022) Adversaries may also masquerade their malicious VIB files as PartnerSupported by modifying the XML descriptor file.(Citation: Google Cloud Threat Intelligence ESXi VIBs 2022)

Platforms

Mitigations (3)

Threat Groups (1)

ID	Group	Context
G1048	UNC3886	[UNC3886](https://attack.mitre.org/groups/G1048) has used vSphere Installation Bundles (VIBs) to install malware and establish persistence across ESXi...

Associated Software (1)

ID	Name	Type	Context
S1218	VIRTUALPIE	Malware	[VIRTUALPIE](https://attack.mitre.org/software/S1218) has been installed on VMware ESXi servers through malicious vSphere Installation Bundles (VIBs)....

Related CWE Weaknesses

References

• Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025.
• Kyle Gleed. (2011, September 13). What's in a VIB?. Retrieved March 27, 2025.

Frequently Asked Questions

What is T1505.006 (vSphere Installation Bundles)?

T1505.006 is a MITRE ATT&CK technique named 'vSphere Installation Bundles'. It belongs to the Persistence tactic(s). Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management...

How can T1505.006 be detected?

Detection of T1505.006 (vSphere Installation Bundles) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1505.006?

There are 3 documented mitigations for T1505.006. Key mitigations include: Boot Integrity, Code Signing, Audit.

Which threat groups use T1505.006?

Known threat groups using T1505.006 include: UNC3886.