Detect vSphere Installation Bundles in Google Chronicle
Adversaries abuse VMware vSphere Installation Bundles (VIBs) to achieve persistent access on ESXi hypervisors. VIBs are software packages that persist across reboots by being incorporated into the ESXi boot image. Malicious VIBs can deploy backdoors, custom firewall rules, and startup scripts. UNC3886 used malicious VIBs to install VIRTUALPIE backdoor on ESXi. VIBs can be installed with --force flag to bypass acceptance level requirements, and adversaries masquerade them as PartnerSupported by modifying the XML descriptor. ESXi detection is challenging due to limited logging.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.006 vSphere Installation Bundles
- Canonical reference
- https://attack.mitre.org/techniques/T1505/006/
YARA-L Detection Query
rule T1505_006_vSphere_VIB_Installation {
meta:
author = "df00tech"
description = "Detects vSphere Installation Bundle (VIB) installation from Windows management hosts targeting ESXi hypervisors. Covers esxcli/PowerCLI CLI execution, PowerShell-based VIB management, and VIB package file creation."
reference = "https://attack.mitre.org/techniques/T1505/006/"
severity = "HIGH"
priority = "HIGH"
mitre_attack_tactic = "Persistence"
mitre_attack_technique = "T1505.006"
created = "2026-04-20"
events:
(
// Pattern 1: esxcli or PowerCLI binary execution
$e1.metadata.event_type = "PROCESS_LAUNCH"
$e1.metadata.vendor_name = "Microsoft"
$e1.principal.hostname = $host
(
re.regex($e1.target.process.file.full_path, `(?i)(esxcli|esxcfg-dumppart|powercli|vmwarecli)\.exe$`) or
re.regex($e1.target.process.command_line, `(?i)(software\s+vib\s+install|--vibs|esxcli\s+software)`) or
(
re.regex($e1.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
re.regex($e1.target.process.command_line, `(?i)(Install-EsxSoftwarePackage|Add-EsxSoftwareDepot|Get-EsxSoftwarePackage|esxcli\.software\.vib|esxupdate)`) and
re.regex($e1.target.process.command_line, `(?i)(vib|esxi|vmware|vsphere)`)
)
)
) or
(
// Pattern 2: VIB package file creation on disk
$e1.metadata.event_type = "FILE_CREATION"
$e1.metadata.vendor_name = "Microsoft"
$e1.principal.hostname = $host
re.regex($e1.target.file.full_path, `(?i)\.(vib|vgz)$`)
)
condition:
$e1
}Chronicle YARA-L 2.0 rule detecting vSphere VIB installation from Windows management hosts. Matches on process launch events for esxcli/PowerCLI binaries, PowerShell invocations of VMware VIB management cmdlets (Install-EsxSoftwarePackage, Add-EsxSoftwareDepot), and file creation events for .vib/.vgz package files. Requires UDM-normalized endpoint telemetry from Windows agents.
Data Sources
Required Tables
False Positives & Tuning
- Authorized VMware administrators using esxcli or PowerCLI interactively from jump hosts to manage ESXi cluster upgrades and patches
- Automated configuration management pipelines (Puppet, Chef, Ansible Tower) using PowerCLI modules to enforce ESXi baseline compliance
- VMware Professional Services or TAM-assisted deployments that install partner VIBs for monitoring, storage multipathing, or network virtualization
Other platforms for T1505.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List Installed VIBs on ESXi Host
Expected signal: ESXi shell audit log: esxcli command execution. If ESXi syslog is forwarded: syslog entry for esxcli invocation.
- Test 2Check ESXi VIB Acceptance Level
Expected signal: ESXi shell audit log for esxcli execution.
- Test 3Simulate VIB Install CLI Command on Windows Management Host
Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'vib install' and '--force'.
References (4)
Unlock Pro Content
Get the full detection package for T1505.006 including response playbook, investigation guide, and atomic red team tests.