ESXi Administration Command

Adversaries may abuse ESXi administration services to execute commands on guest machines hosted within an ESXi virtual environment. Persistent background services on ESXi-hosted VMs, such as the VMware Tools Daemon Service, allow for remote management from the ESXi server. The tools daemon service runs as vmtoolsd.exe on Windows guest operating systems, vmware-tools-daemon on macOS, and vmtoolsd on Linux.^[1]

Adversaries may leverage a variety of tools to execute commands on ESXi-hosted VMs – for example, by using the vSphere Web Services SDK to programmatically execute commands and scripts via APIs such as StartProgramInGuest, ListProcessesInGuest, ListFileInGuest, and InitiateFileTransferFromGuest.^[2]^[3] This may enable follow-on behaviors on the guest VMs, such as File and Directory Discovery, Data from Local System, or OS Credential Dumping.

ID: T1675

Sub-techniques: No sub-techniques

ⓘ

Tactic: Execution

ⓘ

Platforms: ESXi

Version: 1.0

Created: 28 March 2025

Last Modified: 16 April 2025

Version Permalink

Live Version

Mitigations

ID	Mitigation	Description
M1018	User Account Management	If not required, restrict the permissions of users to perform Guest Operations on ESXi-hosted VMs.^[4]

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0015	Application Log	Application Log Content	Monitor for Guest Operations API calls executed from the ESXi host to a guest VM, especially:- `StartProgramInGuest`- `ListProcessesInGuest`- `InitiateFileTransferFromGuest`- `ListFileInGuest` Sudden usage from ESXi management accounts (especially out of hours). Use of Guest Ops on VMs where `vmtoolsd` is not typically used or disabled. Operations from unusual ESXi IPs or using credentials not normally associated with VM management. ^[5] Analytic 1 - ESXi Abuse `sourcetype="vmware:log"\| eval guest_operation=coalesce('eventMessage', 'message')\| search guest_operation="StartProgramInGuest" OR guest_operation="ListProcessesInGuest" OR guest_operation="ListFileInGuest" OR guest_operation="InitiateFileTransferFromGuest"\| stats count by host, vm_name, user, guest_operation, _time\| eventstats count as total_operations by host\| where total_operations > 10 OR (user!="expected_admin" AND total_operations > 1)\| table _time, host, vm_name, user, guest_operation`

DS0015

Application Log

Application Log Content

Monitor for Guest Operations API calls executed from the ESXi host to a guest VM, especially:- StartProgramInGuest- ListProcessesInGuest- InitiateFileTransferFromGuest- ListFileInGuest

Sudden usage from ESXi management accounts (especially out of hours). Use of Guest Ops on VMs where vmtoolsd is not typically used or disabled. Operations from unusual ESXi IPs or using credentials not normally associated with VM management. ^[5]

Analytic 1 - ESXi Abuse

sourcetype="vmware:log"| eval guest_operation=coalesce('eventMessage', 'message')| search guest_operation="StartProgramInGuest" OR guest_operation="ListProcessesInGuest" OR guest_operation="ListFileInGuest" OR guest_operation="InitiateFileTransferFromGuest"| stats count by host, vm_name, user, guest_operation, _time| eventstats count as total_operations by host| where total_operations > 10 OR (user!="expected_admin" AND total_operations > 1)| table _time, host, vm_name, user, guest_operation

ESXi Administration Command

Mitigations

Detection

References