Skip to content

Hide Navigation Hide TOC

Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script (236d8e89-ed95-4789-a982-36f4643738ba)

Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script that's located in a potentially suspicious location to run for a specific VM state

Cluster A Galaxy A Cluster B Galaxy B Level
Suspicious Persistence Via VMwareToolBoxCmd.EXE VM State Change Script (236d8e89-ed95-4789-a982-36f4643738ba) Sigma-Rules Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1