216.73.216.133

T1059.012: Hypervisor CLI

View on MITRE ATT&CK The MITRE Corporation · Published 26/03/2025 21:01 · Modified 27/03/2026 01:12

Essential information

MITRE technique ID
T1059.012
Confidence
100/100
Revoked
No
Published
26/03/2025 21:01
Modified
27/03/2026 01:12
Author / Source
The MITRE Corporation

Platforms

ESXi

Description

Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the hypervisor itself and the guest virtual machines it hosts. For example, on ESXi systems, tools such as `esxcli` and `vim-cmd` allow administrators to configure firewall rules and log forwarding on the hypervisor, list virtual machines, start and stop virtual machines, and more.(Citation: Broadcom ESXCLI Reference)(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: LOLESXi) Adversaries may be able to leverage these tools in order to support further actions, such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).

Kill chain phases

Kill chainPhase
mitre-attack execution

Marking (TLP)

Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.

External references