ESXi VIB Force Installation

Rule Info

Name
ESXi VIB Force Installation
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects attempts to install VIBs with force option or with no sig check option, which could indicate malicious VIBs (vSphere Installation Bundles) installation. VIBs are collections of files used for software distribution and virtual system management in VMware environments. The --force flag can be used to override the minimum acceptance level requirement for VIB installations, allowing even unsigned or low-level VIBs to be installed. Threat Actors thus can abuse this flag to create VIB to contain malicious code, such as backdoors or ransomware components.
Reference
https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence
Date
2025-05-19 00:00:00
Modified
None
Id
88b88cb9-1cb6-4926-88d9-e7a47f60b912
Tags
attack.execution attack.t1675 attack.persistence attack.t1505.006
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022