Skip to content

T1675 ESXi Administration Command

Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment. Persistent background services on ESXi-hosted VMs, such as the VMware Tools Daemon Service, allow for remote management from the ESXi server. The tools daemon service runs as vmtoolsd.exe on Windows guest operating systems, vmware-tools-daemon on macOS, and vmtoolsd on Linux.3

Adversaries may leverage a variety of tools to execute commands on ESXi-hosted VMs – for example, by using the vSphere Web Services SDK to programmatically execute commands and scripts via APIs such as StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, and InitiateFileTransferFromGuest.12 This may enable follow-on behaviors on the guest VMs, such as File and Directory Discovery, Data from Local System, or OS Credential Dumping.

Item Value
ID T1675
Sub-techniques
Tactics TA0002
Platforms ESXi
Version 1.0
Created 28 March 2025
Last Modified 16 April 2025

Procedure Examples

ID Name Description
G1048 UNC3886 UNC3886 used vmtoolsd.exe to run commands on guest virtual machines from a compromised ESXi host.5167
S1217 VIRTUALPITA VIRTUALPITA can execute commands on guest virtual machines from compromised ESXi hypervisors.5

Mitigations

ID Mitigation Description
M1018 User Account Management If not required, restrict the permissions of users to perform Guest Operations on ESXi-hosted VMs.4

References

  1. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025. 

  2. Broadcom. (n.d.). Running Guest OS Operations. Retrieved March 28, 2025. 

  3. Broadcom. (n.d.). VMware Tools Services. Retrieved March 28, 2025. 

  4. Broadcom. (n.d.). Virtual Machine Guest Operations Privileges. Retrieved March 28, 2025. 

  5. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025. 

  6. Punsaen Boonyakarn, Shawn Chew, Logeswaran Nadarajan, Mathew Potaczek, Jakub Jozwiak, and Alex Marvi. (2024, June 18). Cloaked and Covert: Uncovering UNC3886 Espionage Operations. Retrieved September 24, 2024. 

  7. Marvi, A. et al.. (2023, March 16). Fortinet Zero-Day and Custom Malware Used by Suspected Chinese Actor in Espionage Operation. Retrieved March 22, 2023.