Tactics, Techniques, and Procedures (TTPs)
Common attack methods used by threat actors targeting VMware products and infrastructure
MITRE ATT&CK Framework
The information on this page is based on the MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
Tactics, Techniques, and Procedures (TTPs) describe the behavior of threat actors. Tactics represent the adversary's technical goals, techniques describe how those goals are achieved, and procedures are the specific implementations of techniques. Understanding TTPs helps defenders develop more effective security controls and detection mechanisms.
This page focuses on TTPs specifically relevant to VMware environments. Threat actors often adapt common techniques to target virtualization infrastructure, exploiting vulnerabilities in management interfaces, hypervisors, and virtual appliances to gain access to critical systems and data.
Adversaries may attempt to exploit vulnerabilities in public-facing VMware applications to gain initial access to target environments. Common targets include vCenter Server, ESXi hosts, Workspace ONE Access, and Horizon.
VMware-Specific Examples
- Exploitation of CVE-2022-22954 in VMware Workspace ONE Access by APT29
- Exploitation of CVE-2021-21974 in VMware ESXi by ESXiArgs ransomware operators
- Exploitation of CVE-2021-22005 in VMware vCenter Server by Lazarus Group
- Exploitation of CVE-2021-22040 in VMware ESXi PVSCSI driver for VM escape
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. In VMware environments, this includes local accounts on ESXi hosts, vCenter Server administrator accounts, and service accounts used for automation.
VMware-Specific Examples
- UNC3886 creating and using administrator accounts on ESXi hosts
- APT29 using stolen credentials to access vCenter Server instances
- Threat actors using default credentials on newly deployed VMware products
Adversaries may abuse legitimate server software components to establish persistence. In VMware environments, this includes backdooring ESXi host components, vCenter Server plugins, and web server modules.
VMware-Specific Examples
- UNC3886 deploying backdoored libraries on ESXi hosts
- Threat actors modifying VMware vCenter Server plugins
- Attackers installing malicious vSphere Installation Bundles (VIBs)
Adversaries may encrypt data on target systems to interrupt availability to system and network resources. In VMware environments, ransomware attacks often target ESXi hosts and encrypt virtual machine files, causing significant operational impact.
VMware-Specific Examples
- ESXiArgs ransomware encrypting .vmdk, .vmx, and other VM files on ESXi hosts
- Ransomware targeting vCenter Server backup files
- Attackers encrypting VM snapshots to prevent recovery
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. In VMware environments, this includes using ESXi shell commands, PowerCLI scripts, and web shells deployed on vCenter Server or other web-facing components.
VMware-Specific Examples
- APT29 using server-side template injection to execute commands on Workspace ONE Access
- UNC3886 using ESXi shell commands to deploy backdoors
- Attackers using PowerCLI scripts for lateral movement within vSphere environments
Defense in Depth
No single security control can protect against all TTPs. Implement a defense-in-depth strategy that includes multiple layers of security controls, regular patching, network segmentation, least privilege access, and continuous monitoring to better protect your VMware environment from sophisticated threats.