- Tactics
- Execution
- Platforms
- ESXi
- Reference
- attack.mitre.org/techniques/T1675
Description
Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment. Persistent background services on ESXi-hosted VMs, such as the VMware Tools Daemon Service, allow for remote management from the ESXi server. The tools daemon service runs as vmtoolsd.exe on Windows guest operating systems, vmware-tools-daemon on macOS, and vmtoolsd on Linux.(Citation: Broadcom VMware Tools Services)
Adversaries may leverage a variety of tools to execute commands on ESXi-hosted VMs – for example, by using the vSphere Web Services SDK to programmatically execute commands and scripts via APIs such as StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, and InitiateFileTransferFromGuest.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)(Citation: Broadcom Running Guest OS Operations) This may enable follow-on behaviors on the guest VMs, such as File and Directory Discovery, Data from Local System, or OS Credential Dumping.
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Execution tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1047 — Windows Management Instrumentation
- T1053 — Scheduled Task/Job
- T1059 — Command and Scripting Interpreter
- T1072 — Software Deployment Tools
- T1106 — Native API
- T1127 — Trusted Developer Utilities Proxy Execution
- T1129 — Shared Modules
- T1197 — BITS Jobs
- T1203 — Exploitation for Client Execution
- T1204 — User Execution
- T1559 — Inter-Process Communication
- T1569 — System Services