T1505.006

vSphere Installation Bundles

Adversaries abuse VMware vSphere Installation Bundles (VIBs) to achieve persistent access on ESXi hypervisors. VIBs are software packages that persist across reboots by being incorporated into the ESXi boot image. Malicious VIBs can deploy backdoors, custom firewall rules, and startup scripts. UNC3886 used malicious VIBs to install VIRTUALPIE backdoor on ESXi. VIBs can be installed with --force flag to bypass acceptance level requirements, and adversaries masquerade them as PartnerSupported by modifying the XML descriptor. ESXi detection is challenging due to limited logging.

Microsoft Sentinel / Defender

kusto

// T1505.006 — vSphere Installation Bundle (VIB) detection
// ESXi is not typically covered by MDE; this query targets vCenter management events
// Part 1: Detect esxcli or vSphere CLI commands for VIB installation from Windows management hosts
let VIBInstallCLI = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("esxcli.exe", "esxcfg-dumppart.exe", "vicfg-nics.pl",
                      "powercli.exe", "vmwarecli.exe")
    or ProcessCommandLine has_any ("software vib install", "vib install", "--vibs",
                                   "software vib list", "esxcli software")
| extend DetectionType = "VIB_Install_CLI_Command"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect PowerCLI commands for VIB management from Windows hosts
let VIBPowerCLI = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Install-EsxSoftwarePackage", "Add-EsxSoftwareDepot",
                                    "Get-EsxSoftwarePackage", "software vib",
                                    "esxcli.software.vib", "--force", "esxupdate")
    and ProcessCommandLine has_any ("vib", "esxi", "vmware", "vsphere")
| extend DetectionType = "VIB_PowerCLI_Management"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect .vib or .zip files that could be VIB packages written to disk
let VIBFileDrop = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| where FileName endswith ".vib" or FileName endswith ".vgz"
| extend DetectionType = "VIB_File_Created"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union VIBInstallCLI, VIBPowerCLI, VIBFileDrop
| sort by Timestamp desc

critical severity medium confidence

Data Sources

Process: Process Creation File: File Creation Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents DeviceFileEvents

False Positives

Legitimate VMware administrator deploying authorized VIBs for driver updates or vSAN components
VMware Update Manager (VUM) performing scheduled ESXi patch deployments
VMware Tools upgrades that deploy VIB packages to ESXi hosts
Authorized network adapter or storage driver VIBs installed by infrastructure team

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and (
    process.name : ("esxcli.exe", "esxcfg-dumppart.exe", "powercli.exe", "vmwarecli.exe") or
    (process.args : ("software", "vib", "install") and process.args : ("esxcli", "--vibs", "esxcli.software")) or
    (process.name : ("powershell.exe", "pwsh.exe") and
      process.args : ("Install-EsxSoftwarePackage", "Add-EsxSoftwareDepot", "Get-EsxSoftwarePackage", "esxcli.software.vib", "esxupdate"))
  )]
any where true

// Alternative: standalone file detection
// file where event.action == "creation" and file.extension : ("vib", "vgz")

// Standalone process detection (no sequence required)
// process where event.type == "start" and (
//   process.name : ("esxcli.exe", "esxcfg-dumppart.exe", "powercli.exe", "vmwarecli.exe") or
//   (process.name : ("powershell.exe", "pwsh.exe") and
//    process.command_line : ("*Install-EsxSoftwarePackage*", "*Add-EsxSoftwareDepot*",
//                            "*esxcli.software.vib*", "*esxupdate*", "*--force*vib*"))
// )

process where event.type == "start" and (
  process.name : ("esxcli.exe", "esxcfg-dumppart.exe", "powercli.exe", "vmwarecli.exe") or
  (process.command_line : ("*software vib install*", "*vib install*", "*--vibs*", "*esxcli software*")) or
  (process.name : ("powershell.exe", "pwsh.exe") and
   process.command_line : ("*Install-EsxSoftwarePackage*", "*Add-EsxSoftwareDepot*",
                           "*Get-EsxSoftwarePackage*", "*esxcli.software.vib*",
                           "*esxupdate*", "*--force*") and
   process.command_line : ("*vib*", "*esxi*", "*vmware*", "*vsphere*"))
)

high severity medium confidence

Data Sources

Elastic Endpoint Security Winlogbeat with Sysmon Elastic Agent (Windows)

Required Tables

logs-endpoint.events.process-* logs-endpoint.events.file-* winlogbeat-*

False Positives

Legitimate VMware administrators installing authorized update VIBs or vendor patches during scheduled maintenance windows
Automated patch management scripts using esxcli or PowerCLI as part of approved infrastructure-as-code pipelines
Security tooling vendors (Carbon Black, CrowdStrike) deploying their own ESXi sensor VIBs as part of authorized endpoint protection deployment

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "File Path" AS file_path,
  CASE
    WHEN ("Process Name" ILIKE '%esxcli%' OR "Process Name" ILIKE '%powercli%' OR "Process Name" ILIKE '%vmwarecli%')
      OR ("Command" ILIKE '%software vib install%' OR "Command" ILIKE '%--vibs%' OR "Command" ILIKE '%esxcli software%')
      THEN 'VIB_CLI_Install_Command'
    WHEN ("Process Name" ILIKE '%powershell%' OR "Process Name" ILIKE '%pwsh%')
      AND ("Command" ILIKE '%Install-EsxSoftwarePackage%' OR "Command" ILIKE '%Add-EsxSoftwareDepot%'
           OR "Command" ILIKE '%esxcli.software.vib%' OR "Command" ILIKE '%esxupdate%')
      AND ("Command" ILIKE '%vib%' OR "Command" ILIKE '%esxi%' OR "Command" ILIKE '%vsphere%')
      THEN 'VIB_PowerCLI_Management'
    WHEN ("File Path" ILIKE '%.vib' OR "File Path" ILIKE '%.vgz')
      THEN 'VIB_File_Drop'
    WHEN UTF8(payload) ILIKE '%software vib install%'
      OR UTF8(payload) ILIKE '%esxcli%vib%install%'
      OR UTF8(payload) ILIKE '%-force%vib%'
      THEN 'ESXi_VIB_Install_Syslog'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon', 'Linux OS', 'VMware ESXi')
  AND starttime > NOW() - 86400000
  AND (
    "Process Name" ILIKE '%esxcli%'
    OR "Process Name" ILIKE '%powercli%'
    OR "Process Name" ILIKE '%vmwarecli%'
    OR "Command" ILIKE '%software vib install%'
    OR "Command" ILIKE '%--vibs%'
    OR "Command" ILIKE '%esxcli software%'
    OR (
      ("Process Name" ILIKE '%powershell%' OR "Process Name" ILIKE '%pwsh%')
      AND (
        "Command" ILIKE '%Install-EsxSoftwarePackage%'
        OR "Command" ILIKE '%Add-EsxSoftwareDepot%'
        OR "Command" ILIKE '%esxcli.software.vib%'
        OR "Command" ILIKE '%esxupdate%'
      )
    )
    OR "File Path" ILIKE '%.vib'
    OR "File Path" ILIKE '%.vgz'
    OR UTF8(payload) ILIKE '%software vib install%'
    OR UTF8(payload) ILIKE '%esxcli%vib%install%'
  )
ORDER BY event_time DESC

high severity medium confidence

Data Sources

Windows Security Event Log Sysmon (via WinCollect) Linux/ESXi syslog via QRadar DSM VMware ESXi log source

Required Tables

events

False Positives

VMware update manager (vLCM) performing scheduled ESXi baseline remediation will trigger VIB install CLI detections from vCenter server processes
Third-party monitoring agents (Tanium, BigFix) querying ESXi VIB inventory via esxcli for compliance reporting without installing anything
Developer or lab environments where engineers routinely test custom VIBs as part of ESXi driver or tool development workflows

Sumo Logic CSE

sql

// Part 1: Windows Sysmon process events — VIB CLI and PowerCLI
(_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
| where EventID = 1
| parse "<Image><![CDATA[*]]></Image>" as process_image nodrop
| parse "<CommandLine><![CDATA[*]]></CommandLine>" as command_line nodrop
| parse "<User><![CDATA[*]]></User>" as user nodrop
| parse "<Computer>*</Computer>" as host nodrop
| where (
    matches(process_image, "(?i).*(esxcli|esxcfg-dumppart|powercli|vmwarecli)\.exe.*")
    OR matches(command_line, "(?i).*(software\s+vib\s+install|--vibs|esxcli\s+software).*")
    OR (
      matches(process_image, "(?i).*(powershell|pwsh)\.exe.*")
      AND matches(command_line, "(?i).*(Install-EsxSoftwarePackage|Add-EsxSoftwareDepot|Get-EsxSoftwarePackage|esxcli\.software\.vib|esxupdate).*")
      AND matches(command_line, "(?i).*(vib|esxi|vmware|vsphere).*")
    )
  )
| if (matches(process_image, "(?i).*(esxcli|esxcfg-dumppart|powercli|vmwarecli)\.exe.*"), "VIB_CLI_Install_Command",
    if (matches(command_line, "(?i).*(Install-EsxSoftwarePackage|Add-EsxSoftwareDepot|esxcli\.software\.vib).*"), "VIB_PowerCLI_Management", "VIB_Generic")) as detection_type
| fields _messageTime, host, user, process_image, command_line, detection_type

// Part 2: Sysmon file create events for .vib/.vgz drops
// (_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
// | where EventID = 11
// | parse "<TargetFilename><![CDATA[*]]></TargetFilename>" as target_file nodrop
// | where matches(target_file, "(?i).*\.(vib|vgz)$")
// | "VIB_File_Drop" as detection_type

// Part 3: ESXi/Linux syslog VIB install via shell
// (_sourceCategory="os/linux" OR _sourceCategory="vmware/esxi")
// | where matches(_raw, "(?i).*(software\s+vib\s+install|esxcli.*vib.*install|--force.*vib).*")
// | "ESXi_VIB_Syslog_Install" as detection_type

| count by detection_type, host, user, process_image
| sort by _count desc

high severity medium confidence

Data Sources

Sysmon via Sumo Logic Windows Collection Linux syslog VMware ESXi syslog (if forwarded)

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=os/linux _sourceCategory=vmware/esxi

False Positives

VMware Lifecycle Manager (vLCM) and vCenter Update Manager executing esxcli commands as part of automated ESXi patching workflows
Infrastructure automation tools like Ansible with community.vmware collection using PowerCLI cmdlets for configuration management
Security teams conducting authorized red team exercises or VIB-based persistence testing against non-production ESXi environments

Google Chronicle / SecOps

yaral

rule T1505_006_vSphere_VIB_Installation {
  meta:
    author = "df00tech"
    description = "Detects vSphere Installation Bundle (VIB) installation from Windows management hosts targeting ESXi hypervisors. Covers esxcli/PowerCLI CLI execution, PowerShell-based VIB management, and VIB package file creation."
    reference = "https://attack.mitre.org/techniques/T1505/006/"
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1505.006"
    created = "2026-04-20"

  events:
    (
      // Pattern 1: esxcli or PowerCLI binary execution
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      $e1.metadata.vendor_name = "Microsoft"
      $e1.principal.hostname = $host
      (
        re.regex($e1.target.process.file.full_path, `(?i)(esxcli|esxcfg-dumppart|powercli|vmwarecli)\.exe$`) or
        re.regex($e1.target.process.command_line, `(?i)(software\s+vib\s+install|--vibs|esxcli\s+software)`) or
        (
          re.regex($e1.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
          re.regex($e1.target.process.command_line, `(?i)(Install-EsxSoftwarePackage|Add-EsxSoftwareDepot|Get-EsxSoftwarePackage|esxcli\.software\.vib|esxupdate)`) and
          re.regex($e1.target.process.command_line, `(?i)(vib|esxi|vmware|vsphere)`)
        )
      )
    ) or
    (
      // Pattern 2: VIB package file creation on disk
      $e1.metadata.event_type = "FILE_CREATION"
      $e1.metadata.vendor_name = "Microsoft"
      $e1.principal.hostname = $host
      re.regex($e1.target.file.full_path, `(?i)\.(vib|vgz)$`)
    )

  condition:
    $e1
}

high severity medium confidence

Data Sources

Chronicle UDM (Windows Endpoint) Google Security Operations Sensor Sysmon via Chronicle Forwarder

Required Tables

UDM PROCESS_LAUNCH events UDM FILE_CREATION events

False Positives

Authorized VMware administrators using esxcli or PowerCLI interactively from jump hosts to manage ESXi cluster upgrades and patches
Automated configuration management pipelines (Puppet, Chef, Ansible Tower) using PowerCLI modules to enforce ESXi baseline compliance
VMware Professional Services or TAM-assisted deployments that install partner VIBs for monitoring, storage multipathing, or network virtualization

CrowdStrike LogScale (CQL)

cql

// Part 1: Detect esxcli, PowerCLI binary execution or VIB-related command lines
#event_simpleName = ProcessRollup2
| FileName = /(?i)(esxcli|esxcfg-dumppart|powercli|vmwarecli)\.exe/
  OR CommandLine = /(?i)(software\s+vib\s+install|--vibs|esxcli\s+software)/
  OR (
    FileName = /(?i)(powershell|pwsh)\.exe/
    AND CommandLine = /(?i)(Install-EsxSoftwarePackage|Add-EsxSoftwareDepot|Get-EsxSoftwarePackage|esxcli\.software\.vib|esxupdate)/
    AND CommandLine = /(?i)(vib|esxi|vmware|vsphere)/
  )
| eval DetectionType = case(
    FileName matches /(?i)(esxcli|esxcfg-dumppart|powercli|vmwarecli)\.exe/,
      "VIB_CLI_Execution",
    CommandLine matches /(?i)(software\s+vib\s+install|--vibs|esxcli\s+software)/,
      "VIB_Install_Command",
    FileName matches /(?i)(powershell|pwsh)\.exe/ AND CommandLine matches /(?i)(Install-EsxSoftwarePackage|Add-EsxSoftwareDepot|esxcli\.software\.vib)/,
      "VIB_PowerCLI_Cmdlet",
    true(), "VIB_Generic_Match"
  )
| table([@timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, DetectionType])
| sort(field=@timestamp, order=desc)

// Part 2: Detect .vib or .vgz file writes
// #event_simpleName = PeFileWritten OR #event_simpleName = NewExecutableWritten
// | TargetFileName = /(?i)\.(vib|vgz)$/
// | "VIB_File_Drop" as DetectionType
// | table([@timestamp, ComputerName, UserName, TargetFileName, FileName, CommandLine, DetectionType])

// Combined groupBy for summary view:
// groupBy([ComputerName, DetectionType], function=[count(as=EventCount), collect([UserName, FileName, CommandLine])])
// | sort(field=EventCount, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Sensor (Windows) Falcon Data Replicator Falcon Event Stream

Required Tables

ProcessRollup2 PeFileWritten NewExecutableWritten

False Positives

vCenter Server Appliance (VCSA) internal processes and vSphere Update Manager (VUM) baseline scans generating esxcli process telemetry on Windows vCenter clients
PowerCLI-based automation used by cloud management platforms (Tanzu, vRealize Automation) for routine ESXi lifecycle operations such as cluster expansion
Incident response or forensic tools such as VMware Live Recovery or third-party IR platforms that enumerate or extract VIB inventory from ESXi hosts during investigations

Last updated: 2026-04-20 Research depth: deep

References (4)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1505.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored Procedures T1505.002Transport Agent T1505.003Web Shell T1505.004IIS Components T1505.005Terminal Services DLL

vSphere Installation Bundles

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections