title: ESXi Administration Command (T1675)
id: df00tech-t1675
status: experimental
description: "This detection identifies adversaries abusing ESXi administration services — particularly the VMware Tools Daemon (vmtoolsd.exe on Windows, vmtoolsd on Linux, vmware-tools-daemon on macOS) — to execute commands on guest virtual machines from a compromised ESXi hypervisor. Attackers, including UNC3886 using VIRTUALPITA malware, leverage the vSphere Web Services SDK and Guest Operations APIs (StartProgramInGuest, ListProcessesInGuest, InitiateFileTransferFromGuest) to run arbitrary code on hosted VMs without traditional lateral movement vectors. Detection focuses on anomalous child process spawning from vmtoolsd.exe on guest OSes, unusual file transfer activity through VMware guest operations channels, and suspicious vSphere API authentication events from unexpected source IPs."
references:
  - https://attack.mitre.org/techniques/T1675/
  - https://df00tech.com/detections/T1675
author: df00tech
date: 2026/03/20
tags:
  - attack.t1675
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - VMware Tools auto-update mechanisms launching update executables as children of vmtoolsd.exe
  - Legitimate IT operations or configuration management tools configured to run via VMware Guest Operations APIs for automated provisioning or patch management
  - VMware vRealize Automation or vSphere Lifecycle Manager executing maintenance scripts through Guest Operations as part of scheduled infrastructure management tasks
  - Monitoring agents deployed via VMware Tools integration that spawn diagnostic collection processes under vmtoolsd.exe
  - VMware Horizon View or App Volumes agents performing session management operations through the tools daemon
level: high