Esxcli Allow Unverified Binaries Execution

Rule Info

Name
Esxcli Allow Unverified Binaries Execution
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects modification of the execInstalledOnly setting on ESXi hosts to allow execution of non-VIB (unverified) binaries. This technique is often used by attackers to run custom tools or other implants directly on ESXi hypervisors without the need for VIB signing, which can facilitate further compromise or persistence on the host.
Reference
https://github.com/nikaiw/VMkatz
Date
2026-03-25 00:00:00
Modified
None
Id
5dc7f2bc-cb09-4d24-be12-86c6eec7a1a4
Tags
attack.defense-evasion attack.t1562.001 attack.execution attack.t1675
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022