Server Software Component: vSphere Installation Bundles

Other sub-techniques of Server Software Component (6)

ID	Name
T1505.001	SQL Stored Procedures
T1505.002	Transport Agent
T1505.003	Web Shell
T1505.004	IIS Components
T1505.005	Terminal Services DLL
T1505.006	vSphere Installation Bundles

Adversaries may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management in VMware environments. Since ESXi uses an in-memory filesystem where changes made to most files are stored in RAM rather than in persistent storage, these modifications are lost after a reboot. However, VIBs can be used to create startup tasks, apply custom firewall rules, or deploy binaries that persist across reboots. Typically, administrators use VIBs for updates and system maintenance.

VIBs can be broken down into three components:^[1]

VIB payload: a .vgz archive containing the directories and files to be created and executed on boot when the VIBs are loaded.
Signature file: verifies the host acceptance level of a VIB, indicating what testing and validation has been done by VMware or its partners before publication of a VIB. By default, ESXi hosts require a minimum acceptance level of PartnerSupported for VIB installation, meaning the VIB is published by a trusted VMware partner. However, privileged users can change the default acceptance level using the esxcli command line interface. Additionally, VIBs are able to be installed regardless of acceptance level by using the esxcli software vib install --force command.
XML descriptor file: a configuration file containing associated VIB metadata, such as the name of the VIB and its dependencies.

Adversaries may leverage malicious VIB packages to maintain persistent access to ESXi hypervisors, allowing system changes to be executed upon each bootup of ESXi – such as using esxcli to enable firewall rules for backdoor traffic, creating listeners on hard coded ports, and executing backdoors.^[2] Adversaries may also masquerade their malicious VIB files as PartnerSupported by modifying the XML descriptor file.^[2]

ID: T1505.006

Sub-technique of: T1505

ⓘ

Tactic: Persistence

ⓘ

Platforms: ESXi

Contributors: Janantha Marasinghe

Version: 1.0

Created: 27 March 2025

Last Modified: 15 April 2025

Version Permalink

Live Version

Mitigations

ID	Mitigation	Description
M1047	Audit	Periodically audit ESXi hosts to ensure that only approved VIBs are installed. The command `esxcli software vib list` lists installed VIBs, while the command `esxcli software vib signature verify` verifies the signatures of installed VIBs.^[2]
M1046	Boot Integrity	Enabling secure boot allows ESXi to validate software and drivers during initial system boot.^[3]
M1045	Code Signing	Enabling the `execInstalledOnly` feature prevents unsigned binaries from being run on ESXi hosts.^[3]

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0015	Application Log	Application Log Content	Monitor ESXi hosts for suspicious installation of new VIBs. The `/var/log/esxupdate.log` file records VIB installation, including where the VIB was downloaded from and the options used to install the VIB (such as `force/nosigcheck`).^[3] Analytic 1 - Detection bypassing signatures `sourcetype="esxupdate_log"("Installed" AND ("--force" OR "--no-sig-check" OR "acceptance level: CommunitySupported"))\| rex field=_raw "Installed:\s(?\S+)"\| rex field=_raw "Source:\s(?\S+)"\| table _time, host, vib_name, source_url, _raw\| sort by _time desc`
DS0017	Command	Command Execution	Monitor command-line arguments that may involve installing new VIBs, such as `esxcli software vib install`. Especially track suspicious installation parameters, such as the `--force` flag.^[2] Analytic 1 - Detect VIB installation `sourcetype="shell_log""esxcli software vib install" OR "acceptance set"\| rex field=_raw "esxcli software vib install\s+(?--[^\s]+)"\| table _time, host, user, flags, _raw\| sort by _time desc`

DS0015

Application Log

Application Log Content

Monitor ESXi hosts for suspicious installation of new VIBs. The /var/log/esxupdate.log file records VIB installation, including where the VIB was downloaded from and the options used to install the VIB (such as force/nosigcheck).^[3]

Analytic 1 - Detection bypassing signatures

sourcetype="esxupdate_log"("Installed" AND ("--force" OR "--no-sig-check" OR "acceptance level: CommunitySupported"))| rex field=_raw "Installed:\s(?\S+)"| rex field=_raw "Source:\s(?\S+)"| table _time, host, vib_name, source_url, _raw| sort by _time desc

DS0017

Command

Command Execution

Monitor command-line arguments that may involve installing new VIBs, such as esxcli software vib install. Especially track suspicious installation parameters, such as the --force flag.^[2]

Analytic 1 - Detect VIB installation

sourcetype="shell_log""esxcli software vib install" OR "acceptance set"| rex field=_raw "esxcli software vib install\s+(?--[^\s]+)"| table _time, host, user, flags, _raw| sort by _time desc

References

Alex Marvi, Greg Blaum, and Ron Craft. (2023, June 28). Detection, Containment, and Hardening Opportunities for Privileged Guest Operations, Anomalous Behavior, and VMCI Backdoors on Compromised VMware Hosts. Retrieved March 26, 2025.