Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1475: Analytic 1475

Malicious VIB installation for persistence via `esxcli software vib install` using `--force` or `--no-sig-check`, enabling custom startup scripts or firewall rules. Behavior chain: (1) unsigned/suspicious VIB installation → (2) startup script or binary placed in persistent boot path → (3) persistence across reboot via /etc/rc.local.d or other boot hook).

EnterpriseAN1475AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic concerns suspicious ESXi persistence through installation of a VMware Installation Bundle (VIB), especially where installation uses force or signature-check bypass options and results in startup scripts, binaries, or boot hooks that survive reboot. For security leaders, the practical issue is not just malware on a host; it is persistence at the virtualization layer, where a compromised ESXi system can affect availability, recovery confidence, and trust in hosted workloads.

Executive priority

Prioritize this as a resilience and control-assurance concern for environments running ESXi. Leaders should ask whether ESXi administrative activity is logged, whether unsigned or suspicious VIB installation is governed, whether reboot-persistent changes are reviewed, and whether incident response plans include hypervisor-level persistence checks. This is also relevant to audit evidence around change control, privileged administration, and platform integrity.

Technical view

SOC, detection engineering, and IR teams should validate visibility into ESXi software installation events involving `esxcli software vib install`, especially use of `--force` or `--no-sig-check`. Because the ATT&CK object provides no formal detection logic, teams should build local validation around the described behavior chain: suspicious or unsigned VIB installation, creation or modification of persistent boot-path content, and persistence through `/etc/rc.local.d` or other ESXi boot hooks. Treat this as ESXi-specific; no other platforms are supplied.

Likely telemetry

  • ESXi administrative command execution or shell activity showing `esxcli software vib install`
  • VIB installation records or host software change logs
  • Evidence of signature bypass or forced installation flags such as `--force` or `--no-sig-check`
  • File integrity or configuration evidence for persistent boot paths, including `/etc/rc.local.d` where available
  • Startup script, binary, or firewall rule changes associated with host boot behavior

Detection direction

  • Baseline legitimate ESXi VIB installation activity and alert on forced or signature-check-bypassed installs where not explicitly approved.
  • Correlate VIB installation events with subsequent creation or modification of startup scripts, binaries, firewall rules, or boot-hook locations.
  • Tune for authorized maintenance windows and approved vendor or administrator activity to reduce false positives.
  • Validate whether ESXi logs and configuration/file integrity data are retained long enough to support investigation across reboots.
  • Because no official detection is provided, test detection content against controlled administrative changes before relying on it operationally.

Mitigation priorities

  • Restrict ESXi administrative access and require strong change control for VIB installation and host-level software changes.
  • Prefer signed and approved VIBs; investigate any operational need for forced installation or signature-check bypass.
  • Monitor and periodically review persistent boot paths and startup mechanisms on ESXi hosts.
  • Include hypervisor persistence checks in incident response and recovery procedures before returning workloads to trusted operation.
  • Maintain compliance evidence showing who approved ESXi software changes, when they occurred, and whether integrity controls were followed.
Analyst notes and limits

The supplied ATT&CK object is a detection analytic for ESXi behavior, not a full technique description. It describes a persistence-oriented behavior chain but provides no tactics, relationships, aliases, or official detection logic. The strongest defensive use is to turn the described chain into environment-specific validation: privileged ESXi commands, VIB install metadata, and persistent boot-path changes.

No relationship context, official detection text, attribution, prevalence, or active exploitation claim was supplied. Local ESXi logging configuration, administrative practices, and change-management data are required to determine practical coverage and alert fidelity.

Official MITRE ATT&CK definition

Analytic 1475

Malicious VIB installation for persistence via `esxcli software vib install` using `--force` or `--no-sig-check`, enabling custom startup scripts or firewall rules. Behavior chain: (1) unsigned/suspicious VIB installation → (2) startup script or binary placed in persistent boot path → (3) persistence across reboot via /etc/rc.local.d or other boot hook).

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9bca88f5a0e60cda...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9bca88f5a0e6…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1475
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use