1. Home
  2. ATT&CK Techniques
  3. T1675
Execution

T1675: ESXi Administration Command

Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment. Persistent background services on ESXi-hosted VMs, such as the VMwar...

T1675 · Technique ·1 platforms ·1 groups

Description

Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment. Persistent background services on ESXi-hosted VMs, such as the VMware Tools Daemon Service, allow for remote management from the ESXi server. The tools daemon service runs as vmtoolsd.exe on Windows guest operating systems, vmware-tools-daemon on macOS, and vmtoolsd on Linux.(Citation: Broadcom VMware Tools Services)

Adversaries may leverage a variety of tools to execute commands on ESXi-hosted VMs – for example, by using the vSphere Web Services SDK to programmatically execute commands and scripts via APIs such as StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, and InitiateFileTransferFromGuest.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Broadcom Running Guest OS Operations) This may enable follow-on behaviors on the guest VMs, such as File and Directory Discovery, Data from Local System, or OS Credential Dumping.

Platforms

ESXi

Mitigations (1)

User Account ManagementM1018

If not required, restrict the permissions of users to perform Guest Operations on ESXi-hosted VMs.(Citation: Broadcom Virtual Machine Guest Operations Privileges)

Threat Groups (1)

IDGroupContext
G1048UNC3886[UNC3886](https://attack.mitre.org/groups/G1048) used `vmtoolsd.exe` to run commands on guest virtual machines from a compromised ESXi host.(Citation:...

Associated Software (1)

IDNameTypeContext
S1217VIRTUALPITAMalware[VIRTUALPITA](https://attack.mitre.org/software/S1217) can execute commands on guest virtual machines from compromised ESXi hypervisors.(Citation: Goo...

References

Frequently Asked Questions

What is T1675 (ESXi Administration Command)?

T1675 is a MITRE ATT&CK technique named 'ESXi Administration Command'. It belongs to the Execution tactic(s). Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment. Persistent background services on ESXi-hosted VMs, such as the VMwar...

How can T1675 be detected?

Detection of T1675 (ESXi Administration Command) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1675?

There are 1 documented mitigations for T1675. Key mitigations include: User Account Management.

Which threat groups use T1675?

Known threat groups using T1675 include: UNC3886.