DET0558 Detection Strategy for ESXi Hypervisor CLI Abuse

Item	Value
ID	DET0558
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1059.012 (Hypervisor CLI)

Analytics

ESXi

AN1537

Detects suspicious use of ESXi native CLI tools like esxcli and vim-cmd by unauthorized users or outside expected maintenance windows. Focus is on actions such as stopping VMs, reconfiguring network/firewall settings, and enabling SSH or logging.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	esxi:vmkernel	esxcli, vim-cmd invocation
User Account Authentication (DC0002)	esxi:auth	SSH session/login

Mutable Elements

Field	Description
TimeWindow	Helps scope detection to off-hours or change control gaps.
UserContext	Environment-specific users may run these commands as part of normal ops.
CommandPattern	CLI commands vary by adversary intent (e.g., ‘stop’, ‘reboot’, ‘firewall set’)