Command and Scripting Interpreter: Hypervisor CLI (T1059.012)
Tactic: Execution · Platforms: ESXi
The interactive view maps 1 detection strategy, 1 threat group, 3 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of Command and Scripting Interpreter (T1059).
Overview
Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the hypervisor itself and the guest virtual machines it hosts.
For example, on ESXi systems, tools such as `esxcli` and `vim-cmd` allow administrators to configure firewall rules and log forwarding on the hypervisor, list virtual machines, start and stop virtual machines, and more. Adversaries may be able to leverage these tools in order to support further actions, such as File and Directory Discovery or Data Encrypted for Impact.