T1675 ESXi Administration Command Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Primary detection: Suspicious child processes spawned by VMware Tools Daemon on guest VMs
let suspiciousProcesses = dynamic(["cmd.exe", "powershell.exe", "pwsh.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "wmic.exe", "net.exe", "net1.exe", "whoami.exe", "ipconfig.exe", "nltest.exe", "ping.exe", "tasklist.exe", "netstat.exe", "schtasks.exe", "at.exe", "sc.exe", "reg.exe", "curl.exe", "wget.exe"]);
let benignChildren = dynamic(["vmtoolsd.exe", "vmwaretray.exe", "vmwareuser.exe", "VGAuthService.exe", "TPAutoConnect.exe", "vmacthlp.exe", "conhost.exe", "vmwarehostopen.exe"]);
DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessFileName =~ "vmtoolsd.exe"
| where FileName !in~ (benignChildren)
| extend IsHighRisk = iff(FileName in~ (suspiciousProcesses), true, false)
| extend CommandLineLen = strlen(ProcessCommandLine)
| project
    TimeGenerated,
    DeviceName,
    AccountName,
    AccountDomain,
    FileName,
    ProcessCommandLine,
    ProcessId,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    InitiatingProcessParentFileName,
    InitiatingProcessParentId,
    IsHighRisk,
    FolderPath
| order by IsHighRisk desc, TimeGenerated desc

high severity high confidence

Data Sources

Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks
Monitoring agents deployed via VMware Tools integration that spawn diagnostic collection processes under vmtoolsd.exe
VMware Horizon View or App Volumes agents performing session management operations through the tools daemon

Splunk

spl

index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval is_sysmon=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", 1, 0)
| eval is_security=if(sourcetype="WinEventLog:Security", 1, 0)
| search (EventCode=1 AND is_sysmon=1) OR (EventCode=4688 AND is_security=1)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine, CommandLine)
| where match(lower(ParentImage), "vmtoolsd\.exe$")
| eval ChildProcess=mvindex(split(Image, "\\"), -1)
| eval IsHighRisk=if(match(lower(ChildProcess), "^(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|net\.exe|net1\.exe|whoami\.exe|nltest\.exe|schtasks\.exe|reg\.exe|curl\.exe|wget\.exe)$"), "HIGH", "MEDIUM")
| eval Hostname=coalesce(Computer, host)
| table _time, Hostname, User, ParentImage, Image, ChildProcess, CommandLine, IsHighRisk, EventCode
| sort - IsHighRisk, - _time

high severity high confidence

Data Sources

Sysmon Windows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Legitimate VMware Tools update processes spawning installer executables under vmtoolsd.exe
Enterprise configuration management platforms using VMware Guest Operations APIs for automated software deployment across virtual infrastructure
VMware vRealize Operations or vCenter Server scheduled tasks executing maintenance scripts via Guest Operations
Third-party backup agents integrated with VMware Tools that launch snapshot coordination processes
VMware Horizon agent components performing session management and profile loading operations

Elastic Security (EQL)

eql

process where event.type == "start" and (
  process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe") or
  process.parent.name in~ ("cmd.exe", "powershell.exe", "wscript.exe")
) and (
  process.command_line : ("*t1675*", "*suspicious*") or
  process.args : ("*encoded*", "*bypass*", "*hidden*")
) and not process.code_signature.trusted == true

high severity high confidence

Data Sources

Elastic Endpoint Security Elastic Agent

Required Tables

logs-endpoint.events.process-* logs-system.security-*

False Positives

VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS

high severity high confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon EventCode=1
| json auto
| where process_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe")
| where process_cmdline matches /(-enc|-encodedcommand|-bypass|-hidden|invoke-expression|iex\s)/i
    OR process_cmdline matches /(http:\/\/|https:\/\/|ftp:\/\/)/i
| if(process_cmdline matches /-enc/i, "EncodedCommand",
    if(process_cmdline matches /-bypass/i, "BypassExecution",
    if(process_cmdline matches /(invoke-expression|iex)/i, "ScriptExecution",
    "SuspiciousProcess"))) as detection_type
| if(parent_process_name in ("w3wp.exe","httpd.exe","nginx.exe"), 95,
    if(process_cmdline matches /-enc/i, 85,
    if(process_cmdline matches /-bypass/i, 75, 60))) as risk_score
| where risk_score >= 60
| count by host, user, process_name, process_cmdline, parent_process_name, detection_type, risk_score
| sort - risk_score

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=windows/sysmon OR _sourceCategory=endpoint/process

False Positives

VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks

Google Chronicle / SecOps

yaral

rule detection_t1675 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects ESXi Administration Command - T1675"
    severity = "HIGH"
    mitre_attack = "T1675"
    reference = "https://attack.mitre.org/techniques/T1675/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}

high severity high confidence

Data Sources

Windows EDR CrowdStrike Falcon Carbon Black

Required Tables

PROCESS_LAUNCH

False Positives

VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "ProcessRollup2"
| ImageFileName = /(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$/
| CommandLine = /(?i)(-enc(odedcommand)?|-bypass|-noprofile|invoke-expression|iex\s|http:\/\/)/
| case {
    CommandLine = /(?i)-enc(odedcommand)?/ | DetectionType := "EncodedCommand" ;
    CommandLine = /(?i)-bypass/ | DetectionType := "BypassExecution" ;
    CommandLine = /(?i)(invoke-expression|iex\s)/ | DetectionType := "ScriptExecution" ;
    * | DetectionType := "SuspiciousProcess"
}
| case {
    ParentBaseFileName = /(?i)(w3wp|httpd|nginx|php-cgi)\.exe/ | RiskScore := "Critical" ;
    CommandLine = /(?i)-enc/ | RiskScore := "High" ;
    * | RiskScore := "Medium"
}
| table([ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, DetectionType, RiskScore, ProcessId, ParentProcessId])
| sort(RiskScore, order=desc, limit=100)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks

ESXi Administration Command

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Execution

Popular Detections