T1675 Google Chronicle · YARA-L

Detect ESXi Administration Command in Google Chronicle

This detection identifies adversaries abusing ESXi administration services — particularly the VMware Tools Daemon (vmtoolsd.exe on Windows, vmtoolsd on Linux, vmware-tools-daemon on macOS) — to execute commands on guest virtual machines from a compromised ESXi hypervisor. Attackers, including UNC3886 using VIRTUALPITA malware, leverage the vSphere Web Services SDK and Guest Operations APIs (StartProgramInGuest, ListProcessesInGuest, InitiateFileTransferFromGuest) to run arbitrary code on hosted VMs without traditional lateral movement vectors. Detection focuses on anomalous child process spawning from vmtoolsd.exe on guest OSes, unusual file transfer activity through VMware guest operations channels, and suspicious vSphere API authentication events from unexpected source IPs.

MITRE ATT&CK

Tactic
Execution
Technique
T1675 ESXi Administration Command
Canonical reference
https://attack.mitre.org/techniques/T1675/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule detection_t1675 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects ESXi Administration Command - T1675"
    severity = "HIGH"
    mitre_attack = "T1675"
    reference = "https://attack.mitre.org/techniques/T1675/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.hostname = $hostname
    $e.target.process.file.full_path = $process_path
    $e.target.process.command_line = $cmdline
    (
      re.regex($e.target.process.file.full_path, `(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)\.exe$`) and
      (
        re.regex($e.target.process.command_line, `(?i)-enc(odedcommand)?`) or
        re.regex($e.target.process.command_line, `(?i)-bypass`) or
        re.regex($e.target.process.command_line, `(?i)(invoke-expression|iex\s)`) or
        re.regex($e.target.process.command_line, `(?i)http://`)
      )
    )
    not re.regex($e.principal.process.file.full_path, `(?i)(trustedinstaller|msiexec|svchost)`)

  condition:
    $e
}
high severity high confidence

Google Chronicle YARA-L 2.0 rule for detecting ESXi Administration Command (T1675). Uses Chronicle UDM event model to identify esxi administration command behaviors across endpoint and cloud telemetry.

Data Sources

Windows EDRCrowdStrike FalconCarbon Black

Required Tables

PROCESS_LAUNCH

False Positives & Tuning

  • VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
  • Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
  • VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks
Download portable Sigma rule (.yml)

Other platforms for T1675

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Execute Command on Guest VM via vSphere Guest Operations API (PowerCLI)

    Expected signal: On the guest Windows VM: Sysmon Event ID 1 with ParentImage=vmtoolsd.exe and Image=cmd.exe; Windows Security Event 4688 with ParentProcessName vmtoolsd.exe; vmware-vmsvc log entry recording StartProgramInGuest invocation

  2. Test 2Simulate vmtoolsd.exe Child Process Execution (Local Process Spawn)

    Expected signal: Sysmon Event ID 1 showing ParentProcessId matching vmtoolsd.exe PID; Windows Security EventID 4688

  3. Test 3ESXi Guest File Transfer Simulation via InitiateFileTransferToGuest (Python SDK)

    Expected signal: Sysmon Event ID 11 (FileCreate) with Image=vmtoolsd.exe creating C:\Temp\t1675_test.txt; Sysmon Event ID 1 with ParentImage=vmtoolsd.exe spawning cmd.exe; ESXi hostd.log entries for InitiateFileTransferToGuest and StartProgramInGuest

Last updated: 2026-03-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1675 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059Command and Scripting InterpreterT1003OS Credential DumpingT1083File and Directory DiscoveryT1005Data from Local SystemT1021Remote ServicesT1068Exploitation for Privilege EscalationT1053.007Container Orchestration Job

Same Tactic: Execution

Popular Detections