Disable or Modify Tools × VMware vCenter Server

A publicly-reported instance of Disable or Modify Tools bypassing VMware vCenter Server, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

VMware vCenter Server

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2024-05-22

Config / version noted

Not stated

Provenance

ctid.mitre.org
disclosed 2024-05-22 · original source · via raw

Reported as

bypassing vCenter detection

Mechanism

Adversary with compromised vCenter admin access uses the VPXUSER service account to create and manage VMs directly on ESXi hypervisors via SSH, bypassing vCenter inventory. Rogue VMs host backdoors and web shells, maintaining persistence and evading centralized detection.

Detection & mitigation

Monitor ESXi host logs for unexpected 'SSH login enabled' messages and unusual SSH session openings, especially from VPXUSER. Deploy detection scripts from MITRE/CrowdStrike to identify rogue VMs. Enforce Secure Boot and restrict SSH access to hypervisors.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes Microsoft multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.