Skip to content

T1059.012 Hypervisor CLI

Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the hypervisor itself and the guest virtual machines it hosts.

For example, on ESXi systems, tools such as esxcli and vim-cmd allow administrators to configure firewall rules and log forwarding on the hypervisor, list virtual machines, start and stop virtual machines, and more.132 Adversaries may be able to leverage these tools in order to support further actions, such as File and Directory Discovery or Data Encrypted for Impact.

Item Value
ID T1059.012
Sub-techniques T1059.001, T1059.002, T1059.003, T1059.004, T1059.005, T1059.006, T1059.007, T1059.008, T1059.009, T1059.010, T1059.011, T1059.012, T1059.013
Tactics TA0002
Platforms ESXi
Version 1.0
Created 26 March 2025
Last Modified 15 April 2025

Procedure Examples

ID Name Description
S1096 Cheerscrypt Cheerscrypt has leveraged esxcli in order to terminate running virtual machines.4
S1073 Royal Royal ransomware uses esxcli to gather a list of running VMs and terminate them.5
G1048 UNC3886 UNC3886 has used the esxcli command line utility to modify firewall rules, install malware, and for artifact removal.67
S1218 VIRTUALPIE VIRTUALPIE is capable of command line execution on compromised ESXi servers.6

References

  1. Broadcom. (n.d.). ESXCLI Reference. Retrieved March 27, 2025. 

  2. Janantha Marasinghe. (n.d.). Living Off The Land ESXi. Retrieved April 14, 2025. 

  3. Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025. 

  4. Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023. 

  5. Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023. 

  6. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025. 

  7. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.