{
	"id": "552e02cf-10cb-44b9-b135-4955cd575000",
	"created_at": "2026-04-06T00:09:54.110365Z",
	"updated_at": "2026-04-10T03:24:29.30183Z",
	"deleted_at": null,
	"sha1_hash": "f38feaf41f8eb65d0996f437f94b957a0c188dbf",
	"title": "Beware Of The Rogue VMs!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58482,
	"plain_text": "Beware Of The Rogue VMs!\r\nPublished: 2024-11-11 · Archived: 2026-04-05 21:52:34 UTC\r\nAt this years VMware Explore 2024 in Barcelona, I did a presentation called “CMTY1321BCN: Beware Of The\r\nRogue VMs!”, a recording of the session is also available on the VMware Explore 2024 Community YouTube\r\nchannel.\r\nDescription\r\nHere is a quick text based recap of it.\r\nWhat are Rouge VMs?#\r\nFirst off, we need to define what a Rougue VM is. In short, a rougue VM is a VM that runs on an ESXi host, but\r\nyou don’t really know that it’s running. It is not shown in ESXi Host Client, or in the vSphere Web Client.\r\nBack in January 2024 MITRE’s Networked Experimentation, Research, and Virtualization Environment (NERVE)\r\nwas compromised through a series of vulnerabilities. They have written a detailed post-mortem of it that\r\nhighlights all the details, but in short the attackers were able to inject their own VMs into the environment. VMs\r\nthat don’t show up using the “normal” administration interfaces.\r\nHow are Rogue VMs created?#\r\nThis is surprisingly easy to do. If someone has SSH and root access to an ESXi host, all that is required is to place\r\na valid VM on an available datastore, edit the .vmx file to connect it to a valid network and run the following\r\ncommand:\r\n/bin/vmx -x /vmfs/volumes/volname/vmname/vmname.vmx 2\u003e/dev/null 0\u003e/dev/null \u0026\r\nThis commands starts the VM, without registering it in the inventory (which is why it doesn’t show up in the\r\nESXi Host Client, og the vCenter Web Client) and sends the output to /dev/null . This VM then runs as a\r\nnormal VM, but hidden.\r\nThe vim-cmd vmsvc/getallvms (documentation) command will not show this VM, as that command queries the\r\nhost inventory. esxcli vm process list (documentation) however, will show it, as it shows all the running\r\nVMs on the host, regardless of registration status.\r\nHow are Rogue VMs Made Persistent?#\r\nWhen an ESXi host boots /etc/rc.local.d/local.sh is run, so making these VMs persistent once they are\r\nplaced on an ESXi host is as simple as adding the vmx command above to it. Once that is done, the Rogue VM\r\nwill autostart when the host reboots, still undetectable in the usual admin interfaces.\r\nhttps://vninja.net/2024/11/11/beware-of-the-rogue-vms/\r\nPage 1 of 2\n\nIdentifying Rogue VMs#\r\nThere are a couple of available resources that will help identify Rogue VMs in an environment.\r\nInvoke-HiddenVMQuery by MITRE (PowerCLI)\r\nVirtualGHOST by Crowdstrike (PowerCLI)\r\nRVTools In the RVTools vHealth tab, VMs located on a Datastore, that are not registered with the\r\ninventory, are identified as “Possibly a Zombie VM!”\r\nRogue VM Mitigation Strategies#\r\n1. Always keep vCenter and ESXi hosts patched\r\n2. DO NOT enable SSH on your ESXi hosts (or vCenter)\r\n“Everything” can be done through vCenter/Host Client/APIs anyway, there are few real world use\r\ncases when SSH needs to be enabled at all\r\nOpen SSH only when required, and close after use\r\n3. Monitor ESXi logs for SSH enablement and logins, and look for these events:\r\n/var/log/shell.log\r\nSSH[ID]: SSH login enabled\r\nshell[ID]: Interactive shell session started\r\nvar/log/auth.log\r\nsshd[ID]: FIPS mode initialized\r\n4. Use Secure Boot\r\nSecure Boot prohibits /etc/rc.local.d/local.sh from running on boot, this preventing perseverance\r\nOf course, if someone has SSH and root access to your ESXi hosts, all bets are off anyway as they can pretty\r\nmuch to whatever they want. Make sure this is limited to only being available when absolutely required and please\r\npractice safe ESXi!\r\nSource: https://vninja.net/2024/11/11/beware-of-the-rogue-vms/\r\nhttps://vninja.net/2024/11/11/beware-of-the-rogue-vms/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://vninja.net/2024/11/11/beware-of-the-rogue-vms/"
	],
	"report_names": [
		"beware-of-the-rogue-vms"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434194,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f38feaf41f8eb65d0996f437f94b957a0c188dbf.pdf",
		"text": "https://archive.orkl.eu/f38feaf41f8eb65d0996f437f94b957a0c188dbf.txt",
		"img": "https://archive.orkl.eu/f38feaf41f8eb65d0996f437f94b957a0c188dbf.jpg"
	}
}