Which SIEM platforms have a T1675 detection rule?

df00tech provides T1675 (ESXi Administration Command) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect ESXi Administration Command (T1675)?

Detecting ESXi Administration Command requires the following data sources: Microsoft Defender for Endpoint.

What severity and confidence is the T1675 detection?

The T1675 detection is rated high severity with high confidence.

What are common false positives for T1675?

Common false positives for T1675 include: VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe; Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management; VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks.

T1675: ESXi Administration Command — Detection (KQL, SPL, Sigma + 5 SIEMs)

Microsoft Sentinel / Defender

kusto

// Primary detection: Suspicious child processes spawned by VMware Tools Daemon on guest VMs
let suspiciousProcesses = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "net.exe", "net1.exe", "whoami.exe", "ipconfig.exe", "nltest.exe", "ping.exe", "tasklist.exe", "netstat.exe", "schtasks.exe", "at.exe", "sc.exe", "reg.exe", "curl.exe", "wget.exe"]);
let benignChildren = dynamic(["vmtoolsd.exe", "vmwaretray.exe", "vmwareuser.exe", "VGAuthService.exe", "TPAutoConnect.exe", "vmacthlp.exe", "conhost.exe", "vmwarehostopen.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessFileName =~ "vmtoolsd.exe"
| where FileName !in~ (benignChildren)
| extend IsHighRisk = iff(FileName in~ (suspiciousProcesses), true, false)
| extend CommandLineLen = strlen(ProcessCommandLine)
| project
    TimeGenerated,
    DeviceName,
    AccountName,
    AccountDomain,
    FileName,
    ProcessCommandLine,
    ProcessId,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessParentFileName,
    InitiatingProcessParentId,
    IsHighRisk,
    FolderPath
| order by IsHighRisk desc, TimeGenerated desc

Detects suspicious processes spawned by vmtoolsd.exe (VMware Tools Daemon) on guest virtual machines. When an ESXi host is compromised and an attacker uses the vSphere Guest Operations API (StartProgramInGuest), the executed process appears as a child of vmtoolsd.exe on the guest OS. This query identifies non-standard child processes of vmtoolsd.exe, prioritizing high-risk executables like cmd.exe, PowerShell, and living-off-the-land binaries that indicate attacker-controlled execution via ESXi administration channels.

high severity high confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks
Monitoring agents deployed via VMware Tools integration that spawn diagnostic collection processes under vmtoolsd.exe
VMware Horizon View or App Volumes agents performing session management operations through the tools daemon

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval is_sysmon=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", 1, 0)
| eval is_security=if(sourcetype="WinEventLog:Security", 1, 0)
| search (EventCode=1 AND is_sysmon=1) OR (EventCode=4688 AND is_security=1)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine, CommandLine)
| where match(lower(ParentImage), "vmtoolsd\.exe$")
| eval ChildProcess=mvindex(split(Image, "\\"), -1)
| eval IsHighRisk=if(match(lower(ChildProcess), "^(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|net\.exe|net1\.exe|whoami\.exe|nltest\.exe|schtasks\.exe|reg\.exe|curl\.exe|wget\.exe)$"), "HIGH", "MEDIUM")
| eval Hostname=coalesce(Computer, host)
| table _time, Hostname, User, ParentImage, Image, ChildProcess, CommandLine, IsHighRisk, EventCode
| sort - IsHighRisk, - _time

Detects Sysmon Event Code 1 (Process Create) and Windows Security Event 4688 (Process Creation) where the parent process is vmtoolsd.exe on Windows guest VMs. Child process creation under vmtoolsd.exe is the primary artifact of ESXi Guest Operations API abuse (StartProgramInGuest), as the spawned process inherits vmtoolsd.exe as its parent. Events are tagged HIGH risk when the child is a known attacker-favored LOLBin.

high severity high confidence

Data Sources

Sysmon Windows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate VMware Tools update processes spawning installer executables under vmtoolsd.exe
Enterprise configuration management platforms using VMware Guest Operations APIs for automated software deployment across virtual infrastructure
VMware vRealize Operations or vCenter Server scheduled tasks executing maintenance scripts via Guest Operations
Third-party backup agents integrated with VMware Tools that launch snapshot coordination processes
VMware Horizon agent components performing session management and profile loading operations

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1675*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

Elastic EQL detection for ESXi Administration Command (T1675). Identifies esxi administration command activity by correlating endpoint telemetry patterns consistent with known adversary techniques.

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

IBM QRadar AQL detection for ESXi Administration Command (T1675). Queries QRadar event pipeline for indicators consistent with esxi administration command adversary techniques using MITRE ATT&CK-aligned event categorization.

high severity high confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

Sumo Logic detection for ESXi Administration Command (T1675). Identifies adversary esxi administration command behaviors using Sumo Logic's search pipeline with field extraction and anomaly classification.

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks

Google Chronicle / SecOps

yaral

rule detection_t1675 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects ESXi Administration Command - T1675"
    severity = "HIGH"
    mitre_attack = "T1675"
    reference = "https://attack.mitre.org/techniques/T1675/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

Google Chronicle YARA-L 2.0 rule for detecting ESXi Administration Command (T1675). Uses Chronicle UDM event model to identify esxi administration command behaviors across endpoint and cloud telemetry.

high severity high confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

CrowdStrike LogScale CQL detection for ESXi Administration Command (T1675). Queries Falcon telemetry for esxi administration command behavioral indicators aligned with MITRE ATT&CK T1675.

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks

ESXi Administration Command

What is T1675 ESXi Administration Command?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1675

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Execution

Popular Detections

What is T1675 ESXi Administration Command?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1675

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Related Techniques

Same Tactic: Execution

Popular Detections

Get new detections in your inbox