T1059.012 Hypervisor CLI Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousCommands = dynamic([
  "esxcli vm process kill", "esxcli vm process list",
  "vim-cmd vmsvc/power.off", "vim-cmd vmsvc/getallvms",
  "esxcli system maintenanceMode",
  "esxcli network firewall", "esxcli network ip",
  "esxcli software vib install", "esxcli software vib remove",
  "esxcli software acceptance set",
  "esxcli system syslog", "esxcli system settings advanced",
  "vim-cmd hostsvc/enable_ssh", "vim-cmd hostsvc/start_ssh",
  "vim-cmd solo/registervm",
  "/sbin/esxcli", "/bin/vim-cmd",
  "chmod +x", "nohup",
  ".vmdk", ".vmx", ".vmsd", ".vmsn"
]);
Syslog
| where TimeGenerated > ago(24h)
| where Computer has_any ("esx", "vmware") or ProcessName has_any ("esxcli", "vim-cmd", "hostd", "vpxa")
| where SyslogMessage has_any (SuspiciousCommands)
| extend VMKill = SyslogMessage has_any ("vm process kill", "power.off")
| extend VIBInstall = SyslogMessage has "vib install"
| extend FirewallChange = SyslogMessage has "network firewall"
| extend SSHEnable = SyslogMessage has_any ("enable_ssh", "start_ssh")
| extend SyslogModify = SyslogMessage has "system syslog"
| project TimeGenerated, Computer, ProcessName, SyslogMessage,
         VMKill, VIBInstall, FirewallChange, SSHEnable, SyslogModify
| sort by TimeGenerated desc

critical severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Application Log: Application Log Content

Required Tables

Syslog

False Positives

VMware administrators performing routine VM management (start/stop VMs during maintenance)
Patching operations installing legitimate VIBs during scheduled maintenance windows
Infrastructure automation tools (vRealize, Ansible) managing ESXi hosts

Splunk

spl

index=esxi OR index=vmware OR index=syslog sourcetype="vmware:esxi:syslog" OR sourcetype="syslog"
  ("esxcli" OR "vim-cmd" OR "esxcfg-")
| eval VMKill=if(match(_raw, "(vm process kill|vmsvc/power\.off)"), 1, 0)
| eval VMList=if(match(_raw, "(vm process list|vmsvc/getallvms)"), 1, 0)
| eval VIBInstall=if(match(_raw, "(vib install|vib remove|acceptance set)"), 1, 0)
| eval FirewallChange=if(match(_raw, "network firewall"), 1, 0)
| eval SSHEnable=if(match(_raw, "(enable_ssh|start_ssh)"), 1, 0)
| eval SyslogModify=if(match(_raw, "system syslog"), 1, 0)
| eval SuspicionScore=VMKill*3 + VIBInstall*3 + FirewallChange*2 + SSHEnable*2 + SyslogModify*2 + VMList
| where SuspicionScore > 0
| table _time, host, sourcetype, _raw, VMKill, VIBInstall, FirewallChange, SSHEnable, SyslogModify, SuspicionScore
| sort - SuspicionScore, - _time

critical severity high confidence

Data Sources

Process: Process Creation Command: Command Execution VMware ESXi syslog

Required Sourcetypes

vmware:esxi:syslog syslog

False Positives

VMware administrators performing routine VM management during maintenance
Patching operations installing legitimate VIBs
Infrastructure automation tools managing ESXi hosts

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   host.os.type == "linux" and
   (
     process.name in ("esxcli", "vim-cmd", "esxcfg-firewall", "esxcfg-vswitch") or
     process.executable in ("/sbin/esxcli", "/bin/vim-cmd", "/sbin/esxcfg-firewall")
   ) and
   (
     process.args : ("vm process kill", "vm process list", "vmsvc/power.off", "vmsvc/getallvms",
                     "system maintenanceMode", "network firewall*", "network ip*",
                     "software vib install", "software vib remove", "software acceptance set",
                     "system syslog", "system settings advanced",
                     "hostsvc/enable_ssh", "hostsvc/start_ssh", "solo/registervm") or
     process.command_line : ("*chmod +x*", "*nohup *", "*.vmdk*", "*.vmx*", "*.vmsd*", "*.vmsn*")
   )
  ] by process.pid
| where
  (process.args : ("vm process kill", "vmsvc/power.off")) or
  (process.args : ("software vib install", "software vib remove", "software acceptance set")) or
  (process.args : ("network firewall*")) or
  (process.args : ("hostsvc/enable_ssh", "hostsvc/start_ssh")) or
  (process.args : ("system syslog"))

critical severity high confidence

Data Sources

Elastic Endpoint Agent on ESXi/Linux hosts Filebeat syslog input from ESXi hosts Elastic Agent process monitoring

Required Tables

logs-endpoint.events.process-* logs-system.syslog-*

False Positives

Authorized VMware administrators running routine maintenance tasks such as VIB updates, VM power management, or firewall reconfiguration via scheduled jobs or change windows
Monitoring and orchestration tools (vCenter, Ansible, Puppet) that invoke esxcli or vim-cmd programmatically as part of automated VM lifecycle management
Legitimate backup and DR software (Veeam, Zerto) that uses esxcli to enumerate VMs and snapshot states during scheduled backup windows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  hostname,
  username,
  "Process Name" AS process_name,
  "Command" AS command_line,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS event_category,
  CASE
    WHEN "Command" ILIKE '%vm process kill%' OR "Command" ILIKE '%vmsvc/power.off%' THEN 3
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%vib install%' OR "Command" ILIKE '%vib remove%' OR "Command" ILIKE '%acceptance set%' THEN 3
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%network firewall%' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%enable_ssh%' OR "Command" ILIKE '%start_ssh%' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%system syslog%' THEN 2
    ELSE 0
  END +
  CASE
    WHEN "Command" ILIKE '%vm process list%' OR "Command" ILIKE '%vmsvc/getallvms%' THEN 1
    ELSE 0
  END AS suspicion_score
FROM events
WHERE
  starttime > NOW() - 1 DAYS AND
  (
    "Process Name" ILIKE '%esxcli%' OR
    "Process Name" ILIKE '%vim-cmd%' OR
    "Process Name" ILIKE '%esxcfg-%' OR
    "Command" ILIKE '%/sbin/esxcli%' OR
    "Command" ILIKE '%/bin/vim-cmd%'
  ) AND
  (
    "Command" ILIKE '%vm process kill%' OR
    "Command" ILIKE '%vm process list%' OR
    "Command" ILIKE '%vmsvc/power.off%' OR
    "Command" ILIKE '%vmsvc/getallvms%' OR
    "Command" ILIKE '%system maintenanceMode%' OR
    "Command" ILIKE '%network firewall%' OR
    "Command" ILIKE '%network ip%' OR
    "Command" ILIKE '%vib install%' OR
    "Command" ILIKE '%vib remove%' OR
    "Command" ILIKE '%acceptance set%' OR
    "Command" ILIKE '%system syslog%' OR
    "Command" ILIKE '%system settings advanced%' OR
    "Command" ILIKE '%enable_ssh%' OR
    "Command" ILIKE '%start_ssh%' OR
    "Command" ILIKE '%solo/registervm%' OR
    "Command" ILIKE '%.vmdk%' OR
    "Command" ILIKE '%.vmx%' OR
    "Command" ILIKE '%nohup %' OR
    "Command" ILIKE '%chmod +x%'
  )
HAVING suspicion_score > 0
ORDER BY suspicion_score DESC, starttime DESC

critical severity high confidence

Data Sources

QRadar DSM for VMware ESXi syslog QRadar Linux OS DSM QRadar Universal DSM for ESXi audit logs

Required Tables

events

False Positives

VMware vCenter server invoking esxcli commands remotely during automated host provisioning, patching, or maintenance mode transitions
Authorized security scanning tools or vulnerability assessors enumerating ESXi configuration via esxcli network and system commands
Infrastructure-as-code pipelines (Terraform VMware provider, Ansible vmware_guest modules) executing vim-cmd commands during VM lifecycle operations

Sumo Logic CSE

sql

(_sourceCategory="vmware" OR _sourceCategory="esxi" OR _sourceCategory="linux/syslog")
("esxcli" OR "vim-cmd" OR "esxcfg-")
| parse regex "(?<process_name>esxcli|vim-cmd|esxcfg-\S+)" nodrop
| parse regex "(?<full_command>(?:esxcli|vim-cmd|/sbin/esxcli|/bin/vim-cmd)[^\n]+)" nodrop
| eval vm_kill = if(matches(full_command, ".*?(vm process kill|vmsvc/power\.off).*?"), 1, 0)
| eval vm_list = if(matches(full_command, ".*?(vm process list|vmsvc/getallvms).*?"), 1, 0)
| eval vib_install = if(matches(full_command, ".*?(vib install|vib remove|acceptance set).*?"), 1, 0)
| eval firewall_change = if(matches(full_command, ".*?network firewall.*?"), 1, 0)
| eval ssh_enable = if(matches(full_command, ".*?(enable_ssh|start_ssh).*?"), 1, 0)
| eval syslog_modify = if(matches(full_command, ".*?system syslog.*?"), 1, 0)
| eval maintenance_mode = if(matches(full_command, ".*?system maintenanceMode.*?"), 1, 0)
| eval file_staging = if(matches(full_command, ".*?(\.vmdk|\.vmx|\.vmsd|\.vmsn|chmod \+x|nohup ).*?"), 1, 0)
| eval suspicion_score = (vm_kill * 3) + (vib_install * 3) + (firewall_change * 2) + (ssh_enable * 2) + (syslog_modify * 2) + (maintenance_mode * 2) + vm_list + file_staging
| where suspicion_score > 0
| fields _messageTime, _sourceHost, process_name, full_command, vm_kill, vib_install, firewall_change, ssh_enable, syslog_modify, maintenance_mode, file_staging, suspicion_score
| sort by suspicion_score desc, _messageTime desc

critical severity high confidence

Data Sources

Sumo Logic Installed Collector on ESXi hosts via syslog VMware ESXi syslog forwarded to Sumo Logic HTTP source Linux OS source with ESXi management host logs

Required Tables

vmware esxi linux/syslog

False Positives

Scheduled maintenance scripts using esxcli for routine health checks, log rotation configuration, and VIB update workflows executed during approved change windows
VMware Site Recovery Manager or third-party DR solutions invoking vim-cmd vmsvc/power.off commands during planned failover testing
ESXi host profile enforcement tools that periodically apply and validate firewall rules and syslog forwarding settings via esxcli network and system commands

Google Chronicle / SecOps

yaral

rule t1059_012_hypervisor_cli_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects abuse of ESXi hypervisor CLI tools for VM termination, VIB installation, firewall manipulation, SSH enablement, and syslog tampering. Covers ransomware pre-encryption behavior and UNC3886-style espionage techniques."
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.012"
    reference = "https://attack.mitre.org/techniques/T1059/012/"
    created = "2026-04-16"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname != ""
    (
      $e.target.process.file.full_path = /\/sbin\/esxcli/ nocase or
      $e.target.process.file.full_path = /\/bin\/vim-cmd/ nocase or
      $e.target.process.file.full_path = /esxcfg-/ nocase or
      $e.target.process.file.basename = "esxcli" nocase or
      $e.target.process.file.basename = "vim-cmd" nocase
    )
    (
      $e.target.process.command_line = /vm process kill/ nocase or
      $e.target.process.command_line = /vm process list/ nocase or
      $e.target.process.command_line = /vmsvc\/power\.off/ nocase or
      $e.target.process.command_line = /vmsvc\/getallvms/ nocase or
      $e.target.process.command_line = /system maintenanceMode/ nocase or
      $e.target.process.command_line = /network firewall/ nocase or
      $e.target.process.command_line = /software vib install/ nocase or
      $e.target.process.command_line = /software vib remove/ nocase or
      $e.target.process.command_line = /software acceptance set/ nocase or
      $e.target.process.command_line = /system syslog/ nocase or
      $e.target.process.command_line = /system settings advanced/ nocase or
      $e.target.process.command_line = /hostsvc\/enable_ssh/ nocase or
      $e.target.process.command_line = /hostsvc\/start_ssh/ nocase or
      $e.target.process.command_line = /solo\/registervm/ nocase or
      $e.target.process.command_line = /\.vmdk/ nocase or
      $e.target.process.command_line = /\.vmx[^\w]/ nocase or
      $e.target.process.command_line = /chmod \+x/ nocase or
      $e.target.process.command_line = /nohup / nocase
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if($e.target.process.command_line = /vm process kill/ nocase or
         $e.target.process.command_line = /vmsvc\/power\.off/ nocase, 90) +
      if($e.target.process.command_line = /software vib install/ nocase or
         $e.target.process.command_line = /software vib remove/ nocase or
         $e.target.process.command_line = /software acceptance set/ nocase, 85) +
      if($e.target.process.command_line = /network firewall/ nocase, 70) +
      if($e.target.process.command_line = /hostsvc\/enable_ssh/ nocase or
         $e.target.process.command_line = /hostsvc\/start_ssh/ nocase, 70) +
      if($e.target.process.command_line = /system syslog/ nocase, 65) +
      if($e.target.process.command_line = /system maintenanceMode/ nocase, 60) +
      if($e.target.process.command_line = /vm process list/ nocase or
         $e.target.process.command_line = /vmsvc\/getallvms/ nocase, 40)
    )
    $hostname = $e.principal.hostname
    $command = $e.target.process.command_line
    $process = $e.target.process.file.basename

  condition:
    $e
}

critical severity high confidence

Data Sources

Chronicle UDM feed from VMware ESXi syslog Google Cloud Chronicle with ESXi log ingestion via Bindplane or forwarder Chronicle SIEM with Linux process event ingestion from hypervisor hosts

Required Tables

process_launch UDM events from ESXi/Linux sources

False Positives

Legitimate VMware vSphere administrators executing planned VM migrations, snapshots, or power state changes via esxcli or vim-cmd from authorized management workstations
Automated compliance checking or configuration management tools (Chef, Puppet, Ansible) using ESXi CLI commands to enforce and validate host hardening baselines
VMware Tanzu or Kubernetes management planes interacting with ESXi hosts via vim-cmd for node lifecycle operations during cluster scaling events

CrowdStrike LogScale (CQL)

cql

#event_simpleName = ProcessRollup2
| ImageFileName = /(\/sbin\/esxcli|\/bin\/vim-cmd|esxcfg-)/ OR FileName in ("esxcli", "vim-cmd")
| CommandLine = /(vm process kill|vm process list|vmsvc\/power\.off|vmsvc\/getallvms|system maintenanceMode|network firewall|software vib install|software vib remove|software acceptance set|system syslog|system settings advanced|hostsvc\/enable_ssh|hostsvc\/start_ssh|solo\/registervm|\.vmdk|\.vmsd|\.vmsn|chmod \+x|nohup )/
| eval(
    vm_kill = if(CommandLine = /(vm process kill|vmsvc\/power\.off)/, 3, 0),
    vib_install = if(CommandLine = /(software vib install|software vib remove|software acceptance set)/, 3, 0),
    firewall_change = if(CommandLine = /network firewall/, 2, 0),
    ssh_enable = if(CommandLine = /(hostsvc\/enable_ssh|hostsvc\/start_ssh)/, 2, 0),
    syslog_modify = if(CommandLine = /system syslog/, 2, 0),
    maintenance_mode = if(CommandLine = /system maintenanceMode/, 2, 0),
    vm_enum = if(CommandLine = /(vm process list|vmsvc\/getallvms)/, 1, 0),
    file_stage = if(CommandLine = /(\.vmdk|\.vmx|\.vmsd|\.vmsn|chmod \+x|nohup )/, 1, 0)
  )
| eval(suspicion_score = vm_kill + vib_install + firewall_change + ssh_enable + syslog_modify + maintenance_mode + vm_enum + file_stage)
| where(suspicion_score > 0)
| groupBy(
    [ComputerName, UserName, FileName, CommandLine, vm_kill, vib_install, firewall_change, ssh_enable, syslog_modify, maintenance_mode, vm_enum, file_stage, suspicion_score],
    function=count(aid, as=event_count)
  )
| sort(suspicion_score, order=desc)
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, vm_kill, vib_install, firewall_change, ssh_enable, syslog_modify, suspicion_score, event_count])

critical severity high confidence

Data Sources

CrowdStrike Falcon sensor deployed on ESXi hosts (Falcon for Linux/ESXi) Falcon LogScale with Falcon Data Replicator (FDR) process events CrowdStrike Event Stream API for real-time ProcessRollup2 events

Required Tables

ProcessRollup2 (FDR) UserLogon (FDR)

False Positives

CrowdStrike Falcon sensor deployment scripts or host configuration automation running esxcli commands to validate kernel module installation and sensor health on ESXi hosts
Authorized change management activities where system administrators use esxcli bulk commands to apply security patches, VIB updates, or firewall hardening across multiple ESXi hosts during maintenance windows
Third-party VMware integration tools and monitoring agents (Datadog, Dynatrace, Zabbix) using vim-cmd or esxcli queries to collect VM inventory, performance metrics, and host state for observability pipelines

Hypervisor CLI

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections