1. Home
  2. Techniques
  3. Enterprise
  4. Command and Scripting Interpreter
  5. Hypervisor CLI

Command and Scripting Interpreter: Hypervisor CLI

ID Name
T1059.001 PowerShell
T1059.002 AppleScript
T1059.003 Windows Command Shell
T1059.004 Unix Shell
T1059.005 Visual Basic
T1059.006 Python
T1059.007 JavaScript
T1059.008 Network Device CLI
T1059.009 Cloud API
T1059.010 AutoHotKey & AutoIT
T1059.011 Lua
T1059.012 Hypervisor CLI

Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the hypervisor itself and the guest virtual machines it hosts.

For example, on ESXi systems, tools such as esxcli and vim-cmd allow administrators to configure firewall rules and log forwarding on the hypervisor, list virtual machines, start and stop virtual machines, and more.[1][2][3] Adversaries may be able to leverage these tools in order to support further actions, such as File and Directory Discovery or Data Encrypted for Impact.

ID: T1059.012
Sub-technique of:  T1059
Tactic: Execution
Platforms: ESXi
Contributors: Janantha Marasinghe; Liran Ravich, CardinalOps
Version: 1.0
Created: 26 March 2025
Last Modified: 15 April 2025
Version Permalink

Procedure Examples

ID Name Description
S1096 Cheerscrypt

Cheerscrypt has leveraged esxcli in order to terminate running virtual machines.[4]
S1073 Royal

Royal ransomware uses esxcli to gather a list of running VMs and terminate them.[5]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor command-line arguments made using hypervisor CLIs. Actions may be related to network and system information discovery, collection, or other post-compromise behaviors. On ESXi systems, monitor logs such as /var/log/shell.log to track executed commands.[6]

Analytic 1 - Logged Shell Commands

index=esxi_logs sourcetype=shell_log| rex field=_raw "(?i)(?(esxcli|vim-cmd)\s+[\w-/]+)"| search command="esxcli" OR command="vim-cmd"| eval suspicious=if(like(command, "%firewall%") OR like(command, "%loghost%") OR like(command, "%vmsvc%"), 1, 0)| stats count by command, user, host, _time, suspicious| where suspicious=1

References

  1. Broadcom. (n.d.). ESXCLI Reference. Retrieved March 27, 2025.
  2. Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.
  3. Janantha Marasinghe. (n.d.). Living Off The Land ESXi. Retrieved April 14, 2025.
  1. Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.
  2. Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023.
  3. Zhongyuan Hau (Aaron), Ren Jie Yow, and Yoav Mazor. (2025, January 21). ESXi Ransomware Attacks: Stealthy Persistence through. Retrieved March 27, 2025.