Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script (7aa4e81a-a65c-4e10-9f81-b200eb229d7d)

Detects execution of the "VMwareToolBoxCmd.exe" with the "script" and "set" flag to setup a specific script to run for a specific VM state

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Potential Persistence Via VMwareToolBoxCmd.EXE VM State Change Script (7aa4e81a-a65c-4e10-9f81-b200eb229d7d)	Sigma-Rules	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	1