title: vSphere Installation Bundles (T1505.006)
id: df00tech-t1505-006
status: experimental
description: "Adversaries abuse VMware vSphere Installation Bundles (VIBs) to achieve persistent access on ESXi hypervisors. VIBs are software packages that persist across reboots by being incorporated into the ESXi boot image. Malicious VIBs can deploy backdoors, custom firewall rules, and startup scripts. UNC3886 used malicious VIBs to install VIRTUALPIE backdoor on ESXi. VIBs can be installed with --force flag to bypass acceptance level requirements, and adversaries masquerade them as PartnerSupported by modifying the XML descriptor. ESXi detection is challenging due to limited logging."
references:
  - https://attack.mitre.org/techniques/T1505/006/
  - https://df00tech.com/detections/T1505.006
author: df00tech
date: 2026/04/20
tags:
  - attack.t1505.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate VMware administrator deploying authorized VIBs for driver updates or vSAN components
  - VMware Update Manager (VUM) performing scheduled ESXi patch deployments
  - VMware Tools upgrades that deploy VIB packages to ESXi hosts
  - Authorized network adapter or storage driver VIBs installed by infrastructure team
level: critical