Techniques
Sample rules
ESXi Malicious VIB Forced Install
- source: splunk
- technicques:
- T1505.006
Description
Detects potentially malicious installation of VMware Installation Bundles (VIBs) using the –force flag. The –force option bypasses signature and compatibility checks, allowing unsigned, community-supported, or incompatible VIBs to be installed on an ESXi host. This behavior is uncommon in normal administrative operations and is often observed in post-compromise scenarios where adversaries attempt to install backdoored or unauthorized kernel modules, drivers, or monitoring tools to establish persistence or gain deeper control of the hypervisor.
Detection logic
`esxi_syslog` Message="* image profile with validation disabled. *" OR Message="* image profile bypassing signing and acceptance level verification. *" OR Message="* vib without valid signature, *"
| rex field=_raw "Z (?<dest>[\w\.]+)\s"
| stats min(_time) as firstTime max(_time) as lastTime count by dest Message
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `esxi_malicious_vib_forced_install_filter`