Detect Hypervisor CLI in Splunk
Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs enable functionality for managing both the hypervisor and guest virtual machines. On ESXi systems, tools such as esxcli and vim-cmd allow administrators to configure firewall rules, manage log forwarding, list/start/stop virtual machines, and more. Adversaries leverage these tools for discovery, VM termination (ransomware), firewall manipulation, and persistence. UNC3886 used esxcli extensively for malware installation and artifact removal. Ransomware families including Cheerscrypt, Royal, and BlackBasta use esxcli to enumerate and terminate VMs before encryption.
MITRE ATT&CK
- Tactic
- Execution
- Technique
- T1059 Command and Scripting Interpreter
- Sub-technique
- T1059.012 Hypervisor CLI
- Canonical reference
- https://attack.mitre.org/techniques/T1059/012/
SPL Detection Query
index=esxi OR index=vmware OR index=syslog sourcetype="vmware:esxi:syslog" OR sourcetype="syslog"
("esxcli" OR "vim-cmd" OR "esxcfg-")
| eval VMKill=if(match(_raw, "(vm process kill|vmsvc/power\.off)"), 1, 0)
| eval VMList=if(match(_raw, "(vm process list|vmsvc/getallvms)"), 1, 0)
| eval VIBInstall=if(match(_raw, "(vib install|vib remove|acceptance set)"), 1, 0)
| eval FirewallChange=if(match(_raw, "network firewall"), 1, 0)
| eval SSHEnable=if(match(_raw, "(enable_ssh|start_ssh)"), 1, 0)
| eval SyslogModify=if(match(_raw, "system syslog"), 1, 0)
| eval SuspicionScore=VMKill*3 + VIBInstall*3 + FirewallChange*2 + SSHEnable*2 + SyslogModify*2 + VMList
| where SuspicionScore > 0
| table _time, host, sourcetype, _raw, VMKill, VIBInstall, FirewallChange, SSHEnable, SyslogModify, SuspicionScore
| sort - SuspicionScore, - _timeDetects suspicious ESXi CLI commands from syslog. Evaluates for VM termination (ransomware), VIB installation (persistence), firewall manipulation, SSH enablement, and syslog modification. VM killing and VIB installation scored highest (3x) as they indicate active ransomware or advanced persistent threat activity.
Data Sources
Required Sourcetypes
False Positives & Tuning
- VMware administrators performing routine VM management during maintenance
- Patching operations installing legitimate VIBs
- Infrastructure automation tools managing ESXi hosts
Other platforms for T1059.012
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ESXi VM Enumeration Simulation
Expected signal: Syslog message with facility local7 containing 'esxcli vm process list'. This validates that ESXi-format syslog messages are being ingested by the SIEM.
- Test 2ESXi VIB Installation Simulation
Expected signal: Syslog message with facility local7 containing 'vib install' and '--no-sig-check'. The --no-sig-check flag bypasses signature verification.
- Test 3ESXi VM Kill Simulation
Expected signal: Syslog message with facility local7 containing 'vm process kill --type=force'. The force kill type is used by ransomware to immediately terminate VMs.
References (6)
- https://attack.mitre.org/techniques/T1059/012/
- https://developer.broadcom.com/xapis/esxcli-command-reference/latest/
- https://lolesxi-project.github.io/LOLESXi/
- https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
Unlock Pro Content
Get the full detection package for T1059.012 including response playbook, investigation guide, and atomic red team tests.