T1059.012 Google Chronicle · YARA-L

Detect Hypervisor CLI in Google Chronicle

Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs enable functionality for managing both the hypervisor and guest virtual machines. On ESXi systems, tools such as esxcli and vim-cmd allow administrators to configure firewall rules, manage log forwarding, list/start/stop virtual machines, and more. Adversaries leverage these tools for discovery, VM termination (ransomware), firewall manipulation, and persistence. UNC3886 used esxcli extensively for malware installation and artifact removal. Ransomware families including Cheerscrypt, Royal, and BlackBasta use esxcli to enumerate and terminate VMs before encryption.

MITRE ATT&CK

Tactic
Execution
Technique
T1059 Command and Scripting Interpreter
Sub-technique
T1059.012 Hypervisor CLI
Canonical reference
https://attack.mitre.org/techniques/T1059/012/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule t1059_012_hypervisor_cli_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects abuse of ESXi hypervisor CLI tools for VM termination, VIB installation, firewall manipulation, SSH enablement, and syslog tampering. Covers ransomware pre-encryption behavior and UNC3886-style espionage techniques."
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.012"
    reference = "https://attack.mitre.org/techniques/T1059/012/"
    created = "2026-04-16"
    version = "1.0"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname != ""
    (
      $e.target.process.file.full_path = /\/sbin\/esxcli/ nocase or
      $e.target.process.file.full_path = /\/bin\/vim-cmd/ nocase or
      $e.target.process.file.full_path = /esxcfg-/ nocase or
      $e.target.process.file.basename = "esxcli" nocase or
      $e.target.process.file.basename = "vim-cmd" nocase
    )
    (
      $e.target.process.command_line = /vm process kill/ nocase or
      $e.target.process.command_line = /vm process list/ nocase or
      $e.target.process.command_line = /vmsvc\/power\.off/ nocase or
      $e.target.process.command_line = /vmsvc\/getallvms/ nocase or
      $e.target.process.command_line = /system maintenanceMode/ nocase or
      $e.target.process.command_line = /network firewall/ nocase or
      $e.target.process.command_line = /software vib install/ nocase or
      $e.target.process.command_line = /software vib remove/ nocase or
      $e.target.process.command_line = /software acceptance set/ nocase or
      $e.target.process.command_line = /system syslog/ nocase or
      $e.target.process.command_line = /system settings advanced/ nocase or
      $e.target.process.command_line = /hostsvc\/enable_ssh/ nocase or
      $e.target.process.command_line = /hostsvc\/start_ssh/ nocase or
      $e.target.process.command_line = /solo\/registervm/ nocase or
      $e.target.process.command_line = /\.vmdk/ nocase or
      $e.target.process.command_line = /\.vmx[^\w]/ nocase or
      $e.target.process.command_line = /chmod \+x/ nocase or
      $e.target.process.command_line = /nohup / nocase
    )

  match:
    $e.principal.hostname over 5m

  outcome:
    $risk_score = max(
      if($e.target.process.command_line = /vm process kill/ nocase or
         $e.target.process.command_line = /vmsvc\/power\.off/ nocase, 90) +
      if($e.target.process.command_line = /software vib install/ nocase or
         $e.target.process.command_line = /software vib remove/ nocase or
         $e.target.process.command_line = /software acceptance set/ nocase, 85) +
      if($e.target.process.command_line = /network firewall/ nocase, 70) +
      if($e.target.process.command_line = /hostsvc\/enable_ssh/ nocase or
         $e.target.process.command_line = /hostsvc\/start_ssh/ nocase, 70) +
      if($e.target.process.command_line = /system syslog/ nocase, 65) +
      if($e.target.process.command_line = /system maintenanceMode/ nocase, 60) +
      if($e.target.process.command_line = /vm process list/ nocase or
         $e.target.process.command_line = /vmsvc\/getallvms/ nocase, 40)
    )
    $hostname = $e.principal.hostname
    $command = $e.target.process.command_line
    $process = $e.target.process.file.basename

  condition:
    $e
}
critical severity high confidence

Chronicle YARA-L 2.0 rule detecting ESXi hypervisor CLI abuse across all five attack categories: VM termination (ransomware), VIB installation (persistence/backdoor), firewall manipulation (defense evasion), SSH enablement (persistent access), and syslog tampering (log evasion). Risk scoring surfaces highest-priority events.

Data Sources

Chronicle UDM feed from VMware ESXi syslogGoogle Cloud Chronicle with ESXi log ingestion via Bindplane or forwarderChronicle SIEM with Linux process event ingestion from hypervisor hosts

Required Tables

process_launch UDM events from ESXi/Linux sources

False Positives & Tuning

  • Legitimate VMware vSphere administrators executing planned VM migrations, snapshots, or power state changes via esxcli or vim-cmd from authorized management workstations
  • Automated compliance checking or configuration management tools (Chef, Puppet, Ansible) using ESXi CLI commands to enforce and validate host hardening baselines
  • VMware Tanzu or Kubernetes management planes interacting with ESXi hosts via vim-cmd for node lifecycle operations during cluster scaling events
Download portable Sigma rule (.yml)

Other platforms for T1059.012

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ESXi VM Enumeration Simulation

    Expected signal: Syslog message with facility local7 containing 'esxcli vm process list'. This validates that ESXi-format syslog messages are being ingested by the SIEM.

  2. Test 2ESXi VIB Installation Simulation

    Expected signal: Syslog message with facility local7 containing 'vib install' and '--no-sig-check'. The --no-sig-check flag bypasses signature verification.

  3. Test 3ESXi VM Kill Simulation

    Expected signal: Syslog message with facility local7 containing 'vm process kill --type=force'. The force kill type is used by ransomware to immediately terminate VMs.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1059.012 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1059Command and Scripting Interpreter

Related Sub-techniques

T1059.001PowerShellT1059.002AppleScriptT1059.003Windows Command ShellT1059.004Unix ShellT1059.005Visual BasicT1059.006PythonT1059.007JavaScriptT1059.008Network Device CLIT1059.009Cloud APIT1059.010AutoHotKey & AutoITT1059.011LuaT1059.013Container CLI/API

Related Techniques

T1059Command and Scripting InterpreterT1059.004Unix ShellT1486Data Encrypted for ImpactT1529System Shutdown/RebootT1562.001Disable or Modify ToolsT1205Traffic SignalingT1675ESXi Administration Command

Same Tactic: Execution

Popular Detections