T1675 Splunk · SPL

Detect ESXi Administration Command in Splunk

This detection identifies adversaries abusing ESXi administration services — particularly the VMware Tools Daemon (vmtoolsd.exe on Windows, vmtoolsd on Linux, vmware-tools-daemon on macOS) — to execute commands on guest virtual machines from a compromised ESXi hypervisor. Attackers, including UNC3886 using VIRTUALPITA malware, leverage the vSphere Web Services SDK and Guest Operations APIs (StartProgramInGuest, ListProcessesInGuest, InitiateFileTransferFromGuest) to run arbitrary code on hosted VMs without traditional lateral movement vectors. Detection focuses on anomalous child process spawning from vmtoolsd.exe on guest OSes, unusual file transfer activity through VMware guest operations channels, and suspicious vSphere API authentication events from unexpected source IPs.

MITRE ATT&CK

Tactic
Execution
Technique
T1675 ESXi Administration Command
Canonical reference
https://attack.mitre.org/techniques/T1675/

SPL Detection Query

Splunk (SPL)
spl 
index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" OR sourcetype="WinEventLog:Security")
| eval is_sysmon=if(sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational", 1, 0)
| eval is_security=if(sourcetype="WinEventLog:Security", 1, 0)
| search (EventCode=1 AND is_sysmon=1) OR (EventCode=4688 AND is_security=1)
| eval ParentImage=coalesce(ParentImage, ParentProcessName)
| eval Image=coalesce(Image, NewProcessName)
| eval CommandLine=coalesce(CommandLine, ProcessCommandLine, CommandLine)
| where match(lower(ParentImage), "vmtoolsd\.exe$")
| eval ChildProcess=mvindex(split(Image, "\\"), -1)
| eval IsHighRisk=if(match(lower(ChildProcess), "^(cmd\.exe|powershell\.exe|pwsh\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|wmic\.exe|net\.exe|net1\.exe|whoami\.exe|nltest\.exe|schtasks\.exe|reg\.exe|curl\.exe|wget\.exe)$"), "HIGH", "MEDIUM")
| eval Hostname=coalesce(Computer, host)
| table _time, Hostname, User, ParentImage, Image, ChildProcess, CommandLine, IsHighRisk, EventCode
| sort - IsHighRisk, - _time
high severity high confidence

Detects Sysmon Event Code 1 (Process Create) and Windows Security Event 4688 (Process Creation) where the parent process is vmtoolsd.exe on Windows guest VMs. Child process creation under vmtoolsd.exe is the primary artifact of ESXi Guest Operations API abuse (StartProgramInGuest), as the spawned process inherits vmtoolsd.exe as its parent. Events are tagged HIGH risk when the child is a known attacker-favored LOLBin.

Data Sources

SysmonWindows Security Event Log

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/OperationalWinEventLog:Security

False Positives & Tuning

  • Legitimate VMware Tools update processes spawning installer executables under vmtoolsd.exe
  • Enterprise configuration management platforms using VMware Guest Operations APIs for automated software deployment across virtual infrastructure
  • VMware vRealize Operations or vCenter Server scheduled tasks executing maintenance scripts via Guest Operations
  • Third-party backup agents integrated with VMware Tools that launch snapshot coordination processes
  • VMware Horizon agent components performing session management and profile loading operations
Download portable Sigma rule (.yml)

Other platforms for T1675

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Execute Command on Guest VM via vSphere Guest Operations API (PowerCLI)

    Expected signal: On the guest Windows VM: Sysmon Event ID 1 with ParentImage=vmtoolsd.exe and Image=cmd.exe; Windows Security Event 4688 with ParentProcessName vmtoolsd.exe; vmware-vmsvc log entry recording StartProgramInGuest invocation

  2. Test 2Simulate vmtoolsd.exe Child Process Execution (Local Process Spawn)

    Expected signal: Sysmon Event ID 1 showing ParentProcessId matching vmtoolsd.exe PID; Windows Security EventID 4688

  3. Test 3ESXi Guest File Transfer Simulation via InitiateFileTransferToGuest (Python SDK)

    Expected signal: Sysmon Event ID 11 (FileCreate) with Image=vmtoolsd.exe creating C:\Temp\t1675_test.txt; Sysmon Event ID 1 with ParentImage=vmtoolsd.exe spawning cmd.exe; ESXi hostd.log entries for InitiateFileTransferToGuest and StartProgramInGuest

Last updated: 2026-03-20 Research depth: deep
References (5)

Unlock Pro Content

Get the full detection package for T1675 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059Command and Scripting InterpreterT1003OS Credential DumpingT1083File and Directory DiscoveryT1005Data from Local SystemT1021Remote ServicesT1068Exploitation for Privilege EscalationT1053.007Container Orchestration Job

Same Tactic: Execution

Popular Detections