T1675 IBM QRadar · QRadar

Detect ESXi Administration Command in IBM QRadar

This detection identifies adversaries abusing ESXi administration services — particularly the VMware Tools Daemon (vmtoolsd.exe on Windows, vmtoolsd on Linux, vmware-tools-daemon on macOS) — to execute commands on guest virtual machines from a compromised ESXi hypervisor. Attackers, including UNC3886 using VIRTUALPITA malware, leverage the vSphere Web Services SDK and Guest Operations APIs (StartProgramInGuest, ListProcessesInGuest, InitiateFileTransferFromGuest) to run arbitrary code on hosted VMs without traditional lateral movement vectors. Detection focuses on anomalous child process spawning from vmtoolsd.exe on guest OSes, unusual file transfer activity through VMware guest operations channels, and suspicious vSphere API authentication events from unexpected source IPs.

MITRE ATT&CK

Tactic
Execution
Technique
T1675 ESXi Administration Command
Canonical reference
https://attack.mitre.org/techniques/T1675/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS
high severity high confidence

IBM QRadar AQL detection for ESXi Administration Command (T1675). Queries QRadar event pipeline for indicators consistent with esxi administration command adversary techniques using MITRE ATT&CK-aligned event categorization.

Data Sources

IBM QRadar SIEMWindows Security EventsEndpoint Agent

Required Tables

events

False Positives & Tuning

  • VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
  • Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
  • VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks
Download portable Sigma rule (.yml)

Other platforms for T1675

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Execute Command on Guest VM via vSphere Guest Operations API (PowerCLI)

    Expected signal: On the guest Windows VM: Sysmon Event ID 1 with ParentImage=vmtoolsd.exe and Image=cmd.exe; Windows Security Event 4688 with ParentProcessName vmtoolsd.exe; vmware-vmsvc log entry recording StartProgramInGuest invocation

  2. Test 2Simulate vmtoolsd.exe Child Process Execution (Local Process Spawn)

    Expected signal: Sysmon Event ID 1 showing ParentProcessId matching vmtoolsd.exe PID; Windows Security EventID 4688

  3. Test 3ESXi Guest File Transfer Simulation via InitiateFileTransferToGuest (Python SDK)

    Expected signal: Sysmon Event ID 11 (FileCreate) with Image=vmtoolsd.exe creating C:\Temp\t1675_test.txt; Sysmon Event ID 1 with ParentImage=vmtoolsd.exe spawning cmd.exe; ESXi hostd.log entries for InitiateFileTransferToGuest and StartProgramInGuest

Last updated: 2026-03-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1675 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059Command and Scripting InterpreterT1003OS Credential DumpingT1083File and Directory DiscoveryT1005Data from Local SystemT1021Remote ServicesT1068Exploitation for Privilege EscalationT1053.007Container Orchestration Job

Same Tactic: Execution

Popular Detections