Esc
Hypervisor CLI - T1059.012
(ATT&CK® Technique)
Definition
Adversaries may abuse hypervisor command line interpreters (CLIs) to execute malicious commands. Hypervisor CLIs typically enable a wide variety of functionality for managing both the hypervisor itself and the guest virtual machines it hosts.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1059012["Hypervisor CLI"] --> |executes| ExecutableScript["Executable Script"]; class T1059012 OffensiveTechniqueNode;
class ExecutableScript ArtifactNode; click ExecutableScript href "../../../dao/artifact/d3f:ExecutableScript";
click T1059012 href "../../../offensive-technique/attack/T1059.012/"; click ExecutableScript href "../../../dao/artifact/d3f:ExecutableScript";DecoyFile["Decoy File"] -->
| spoofs | ExecutableScript["Executable Script"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1059012["Hypervisor CLI"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DecoyFile href "../../../technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1059012["Hypervisor CLI"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click DynamicAnalysis href "../../../technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1059012["Hypervisor CLI"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click EmulatedFileAnalysis href "../../../technique/d3f:EmulatedFileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableScript["Executable Script"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1059012["Hypervisor CLI"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | ExecutableScript["Executable Script"];
FileEviction["File Eviction"] -.->
| may-evict | T1059012["Hypervisor CLI"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEviction href "../../../technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableScript["Executable Script"];
FileEncryption["File Encryption"] -.->
| may-harden | T1059012["Hypervisor CLI"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileEncryption href "../../../technique/d3f:FileEncryption"; ContentModification["Content Modification"] -->
| modifies | ExecutableScript["Executable Script"];
ContentModification["Content Modification"] -.->
| may-isolate | T1059012["Hypervisor CLI"] ;
class ContentModification DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ContentModification href "../../../technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | ExecutableScript["Executable Script"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1059012["Hypervisor CLI"] ;
class ContentQuarantine DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableScript["Executable Script"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1059012["Hypervisor CLI"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableAllowlisting href "../../../technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableScript["Executable Script"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1059012["Hypervisor CLI"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ExecutableDenylisting href "../../../technique/d3f:ExecutableDenylisting"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableScript["Executable Script"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1059012["Hypervisor CLI"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; RestoreFile["Restore File"] -->
| restores | ExecutableScript["Executable Script"];
RestoreFile["Restore File"] -.->
| may-restore | T1059012["Hypervisor CLI"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click RestoreFile href "../../../technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableScript["Executable Script"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1059012["Hypervisor CLI"] ;
class FileAnalysis DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click FileAnalysis href "../../../technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | ExecutableScript["Executable Script"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1059012["Hypervisor CLI"] ;
class ContentFiltering DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click ContentFiltering href "../../../technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableScript["Executable Script"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1059012["Hypervisor CLI"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableScript ArtifactNode;
click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation";