.. /vim-cmd
Star

Enable Service
Disable Startup
System Information
Inhibit Recovery
Power off VM

A command-line utility in VMware ESXi that provides an interface to interact with the VMware Infrastructure (VI) API, allowing users to manage and automate tasks on ESXi host and its virtual machines (VMs)


Paths:

Resources:
Acknowledgements:

Enable Service

  1. Enables SSH services on the ESXi host

    vim-cmd hostsvc/enable_ssh
    Use case
    SSH service enables adversaries to laterally move to ESXi hosts and use as an alternative command execution interface.
    Privileges required
    Administrator
    Operating systems
    ESXi
    ATT&CK® technique
    T1021.004

Disable Startup

  1. Disable autostart of Virtual Machines

    vim-cmd hostsvc/autostartmanager/enable_autostart false
    Use case
    Disabling autostart of Virtual Machines prevents them from starting post reboot of a ESXi host.
    Privileges required
    Administrator
    Operating systems
    ESXi
    Additional Procedural Examples
    • vim-cmd hostsvc/autostartmanager/enable_autostart 0
    ATT&CK® technique
    T1529

System Information

  1. Displays summary of system information about the ESXi host

    vim-cmd hostsvc/hostsummary | grep cpuModel
    Use case
    Shows the exact cpuModel from the hostsummary output
    Privileges required
    Administrator
    Operating systems
    ESXi
    ATT&CK® technique
    T1082

  2. Displays the list of VMs available on an ESXi host.

    vim-cmd vmsvc/getallvms
    Use case
    Shows running VMs on an ESXi Host. Adversaries were seen use this techinique to programatically enumerate VMs and powers them down using the Vmid.
    Privileges required
    Administrator
    Operating systems
    ESXi
    Additional Procedural Examples
    • /bin/sh -c “for vmid in $(vim-cmd vmsvc/getallvms | grep -v Vmid | awk '{print $1}'); do vim-cmd vmsvc/power.off $vmid; done"
    ATT&CK® technique
    T1082

Inhibit Recovery

  1. Remove VM Snapshots

    vim-cmd vmsvc/snapshot.removeall
    Use case
    Deletes all snapshots of all Virtual Machines. This activity is usually observed near ransomware deployment and is often executed programatically.
    Privileges required
    Administrator
    Operating systems
    ESXi
    Additional Procedural Examples
    • for i in `vim-cmd vmsvc/getallvms| awk '{print$1}'`;do vim-cmd vmsvc/snapshot.removeall $i & done
    • vim-cmd vmsvc/snapshot.removeall %llu > /dev/null 2>&1
    ATT&CK® technique
    T1082

Power off VM

  1. Power off VM

    vim-cmd vmsvc/power.off
    Use case
    Powers off Virtual Machines. This activity is usually observed near ransomware deployment and is often executed programatically.
    Privileges required
    Administrator
    Operating systems
    ESXi
    Additional Procedural Examples
    • vim-cmd vmsvc/getallvms | grep -o -E \'^[0-9]+\' | xargs -r -n 1 vim-cmd vmsvc/power.off
    • /bin/sh -c “for vmid in $(vim-cmd vmsvc/getallvms | grep -v Vmid | awk '{print $1}'); do vim-cmd vmsvc/power.off $vmid; done"
    ATT&CK® technique
    T1529

    Tags
    E-Crime: Lockbit
    A RaaS who utilises initial access brokers to gain access to victims. Reported to targets critical infrastructure sectors, financial services, transportation, food and agriculture, education, energy, government and emergency services
    E-Crime: Ransomhub
    This function was tagged with "E-Crime: Ransomhub".
    E-Crime: Blackcat
    BlackCat (aka ALPHV,Noberus) ransomware is written in rust. Reported to have been created by a group of Russian-speaking cybercriminals
    E-Crime: Qilin
    Aka Agenda and is written in Golang. Uses double extortion technique and target large enterprises and high-value targets
    E-Crime: Play
    A group that uses double-extortion with capabilities to target ESXi hosts.Based on reporting this group has targeted mostly US entities in the past