T1505.006 Sumo Logic CSE · Sumo

Detect vSphere Installation Bundles in Sumo Logic CSE

Adversaries abuse VMware vSphere Installation Bundles (VIBs) to achieve persistent access on ESXi hypervisors. VIBs are software packages that persist across reboots by being incorporated into the ESXi boot image. Malicious VIBs can deploy backdoors, custom firewall rules, and startup scripts. UNC3886 used malicious VIBs to install VIRTUALPIE backdoor on ESXi. VIBs can be installed with --force flag to bypass acceptance level requirements, and adversaries masquerade them as PartnerSupported by modifying the XML descriptor. ESXi detection is challenging due to limited logging.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.006 vSphere Installation Bundles
Canonical reference
https://attack.mitre.org/techniques/T1505/006/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
// Part 1: Windows Sysmon process events — VIB CLI and PowerCLI
(_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
| where EventID = 1
| parse "<Image><![CDATA[*]]></Image>" as process_image nodrop
| parse "<CommandLine><![CDATA[*]]></CommandLine>" as command_line nodrop
| parse "<User><![CDATA[*]]></User>" as user nodrop
| parse "<Computer>*</Computer>" as host nodrop
| where (
    matches(process_image, "(?i).*(esxcli|esxcfg-dumppart|powercli|vmwarecli)\.exe.*")
    OR matches(command_line, "(?i).*(software\s+vib\s+install|--vibs|esxcli\s+software).*")
    OR (
      matches(process_image, "(?i).*(powershell|pwsh)\.exe.*")
      AND matches(command_line, "(?i).*(Install-EsxSoftwarePackage|Add-EsxSoftwareDepot|Get-EsxSoftwarePackage|esxcli\.software\.vib|esxupdate).*")
      AND matches(command_line, "(?i).*(vib|esxi|vmware|vsphere).*")
    )
  )
| if (matches(process_image, "(?i).*(esxcli|esxcfg-dumppart|powercli|vmwarecli)\.exe.*"), "VIB_CLI_Install_Command",
    if (matches(command_line, "(?i).*(Install-EsxSoftwarePackage|Add-EsxSoftwareDepot|esxcli\.software\.vib).*"), "VIB_PowerCLI_Management", "VIB_Generic")) as detection_type
| fields _messageTime, host, user, process_image, command_line, detection_type

// Part 2: Sysmon file create events for .vib/.vgz drops
// (_sourceCategory="windows/sysmon" OR _sourceCategory="os/windows/sysmon")
// | where EventID = 11
// | parse "<TargetFilename><![CDATA[*]]></TargetFilename>" as target_file nodrop
// | where matches(target_file, "(?i).*\.(vib|vgz)$")
// | "VIB_File_Drop" as detection_type

// Part 3: ESXi/Linux syslog VIB install via shell
// (_sourceCategory="os/linux" OR _sourceCategory="vmware/esxi")
// | where matches(_raw, "(?i).*(software\s+vib\s+install|esxcli.*vib.*install|--force.*vib).*")
// | "ESXi_VIB_Syslog_Install" as detection_type

| count by detection_type, host, user, process_image
| sort by _count desc
high severity medium confidence

Sumo Logic query detecting ESXi VIB installation activity on Windows management hosts via Sysmon process creation events. Identifies esxcli/PowerCLI binary execution and PowerShell commands invoking VMware VIB management cmdlets. Companion queries (commented) extend coverage to Sysmon file creation events for .vib/.vgz drops and direct ESXi syslog forwarding.

Data Sources

Sysmon via Sumo Logic Windows CollectionLinux syslogVMware ESXi syslog (if forwarded)

Required Tables

_sourceCategory=windows/sysmon_sourceCategory=os/linux_sourceCategory=vmware/esxi

False Positives & Tuning

  • VMware Lifecycle Manager (vLCM) and vCenter Update Manager executing esxcli commands as part of automated ESXi patching workflows
  • Infrastructure automation tools like Ansible with community.vmware collection using PowerCLI cmdlets for configuration management
  • Security teams conducting authorized red team exercises or VIB-based persistence testing against non-production ESXi environments
Download portable Sigma rule (.yml)

Other platforms for T1505.006

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List Installed VIBs on ESXi Host

    Expected signal: ESXi shell audit log: esxcli command execution. If ESXi syslog is forwarded: syslog entry for esxcli invocation.

  2. Test 2Check ESXi VIB Acceptance Level

    Expected signal: ESXi shell audit log for esxcli execution.

  3. Test 3Simulate VIB Install CLI Command on Windows Management Host

    Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'vib install' and '--force'.

Last updated: 2026-04-20 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1505.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.002Transport AgentT1505.003Web ShellT1505.004IIS ComponentsT1505.005Terminal Services DLL

Related Techniques

T1505Server Software ComponentT1552.004Private KeysT1190Exploit Public-Facing ApplicationT1078Valid AccountsT1133External Remote Services

Same Tactic: Persistence

Popular Detections