T1505.006 IBM QRadar · QRadar

Detect vSphere Installation Bundles in IBM QRadar

Adversaries abuse VMware vSphere Installation Bundles (VIBs) to achieve persistent access on ESXi hypervisors. VIBs are software packages that persist across reboots by being incorporated into the ESXi boot image. Malicious VIBs can deploy backdoors, custom firewall rules, and startup scripts. UNC3886 used malicious VIBs to install VIRTUALPIE backdoor on ESXi. VIBs can be installed with --force flag to bypass acceptance level requirements, and adversaries masquerade them as PartnerSupported by modifying the XML descriptor. ESXi detection is challenging due to limited logging.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.006 vSphere Installation Bundles
Canonical reference
https://attack.mitre.org/techniques/T1505/006/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  "Process Name" AS process_name,
  "Command" AS command_line,
  "File Path" AS file_path,
  CASE
    WHEN ("Process Name" ILIKE '%esxcli%' OR "Process Name" ILIKE '%powercli%' OR "Process Name" ILIKE '%vmwarecli%')
      OR ("Command" ILIKE '%software vib install%' OR "Command" ILIKE '%--vibs%' OR "Command" ILIKE '%esxcli software%')
      THEN 'VIB_CLI_Install_Command'
    WHEN ("Process Name" ILIKE '%powershell%' OR "Process Name" ILIKE '%pwsh%')
      AND ("Command" ILIKE '%Install-EsxSoftwarePackage%' OR "Command" ILIKE '%Add-EsxSoftwareDepot%'
           OR "Command" ILIKE '%esxcli.software.vib%' OR "Command" ILIKE '%esxupdate%')
      AND ("Command" ILIKE '%vib%' OR "Command" ILIKE '%esxi%' OR "Command" ILIKE '%vsphere%')
      THEN 'VIB_PowerCLI_Management'
    WHEN ("File Path" ILIKE '%.vib' OR "File Path" ILIKE '%.vgz')
      THEN 'VIB_File_Drop'
    WHEN UTF8(payload) ILIKE '%software vib install%'
      OR UTF8(payload) ILIKE '%esxcli%vib%install%'
      OR UTF8(payload) ILIKE '%-force%vib%'
      THEN 'ESXi_VIB_Install_Syslog'
    ELSE NULL
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon', 'Linux OS', 'VMware ESXi')
  AND starttime > NOW() - 86400000
  AND (
    "Process Name" ILIKE '%esxcli%'
    OR "Process Name" ILIKE '%powercli%'
    OR "Process Name" ILIKE '%vmwarecli%'
    OR "Command" ILIKE '%software vib install%'
    OR "Command" ILIKE '%--vibs%'
    OR "Command" ILIKE '%esxcli software%'
    OR (
      ("Process Name" ILIKE '%powershell%' OR "Process Name" ILIKE '%pwsh%')
      AND (
        "Command" ILIKE '%Install-EsxSoftwarePackage%'
        OR "Command" ILIKE '%Add-EsxSoftwareDepot%'
        OR "Command" ILIKE '%esxcli.software.vib%'
        OR "Command" ILIKE '%esxupdate%'
      )
    )
    OR "File Path" ILIKE '%.vib'
    OR "File Path" ILIKE '%.vgz'
    OR UTF8(payload) ILIKE '%software vib install%'
    OR UTF8(payload) ILIKE '%esxcli%vib%install%'
  )
ORDER BY event_time DESC
high severity medium confidence

QRadar AQL query detecting vSphere VIB installation attempts by correlating Windows process events (esxcli, PowerCLI, PowerShell with VMware cmdlets), file creation events for .vib/.vgz packages, and ESXi syslog entries containing VIB installation commands. Covers both Windows management host activity and direct ESXi log sources if forwarded to QRadar.

Data Sources

Windows Security Event LogSysmon (via WinCollect)Linux/ESXi syslog via QRadar DSMVMware ESXi log source

Required Tables

events

False Positives & Tuning

  • VMware update manager (vLCM) performing scheduled ESXi baseline remediation will trigger VIB install CLI detections from vCenter server processes
  • Third-party monitoring agents (Tanium, BigFix) querying ESXi VIB inventory via esxcli for compliance reporting without installing anything
  • Developer or lab environments where engineers routinely test custom VIBs as part of ESXi driver or tool development workflows
Download portable Sigma rule (.yml)

Other platforms for T1505.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List Installed VIBs on ESXi Host

    Expected signal: ESXi shell audit log: esxcli command execution. If ESXi syslog is forwarded: syslog entry for esxcli invocation.

  2. Test 2Check ESXi VIB Acceptance Level

    Expected signal: ESXi shell audit log for esxcli execution.

  3. Test 3Simulate VIB Install CLI Command on Windows Management Host

    Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'vib install' and '--force'.

Last updated: 2026-04-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1505.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.003Web ShellT1505.004IIS ComponentsT1505.005Terminal Services DLL

Related Techniques

T1505Server Software ComponentT1552.004Private KeysT1190Exploit Public-Facing ApplicationT1078Valid AccountsT1133External Remote Services

Same Tactic: Persistence

Popular Detections