| ID | Name |
|---|---|
| ATAGS-T1074.001 | IIS Components |
| ATAGS-T1074.002 | SQL Stored Procedures |
| ATAGS-T1074.003 | Terminal Services DLL |
| ATAGS-T1074.004 | Transport Agent |
| ATAGS-T1074.005 | vSphere Installation Bundles |
| ATAGS-T1074.006 | Web Shell |
Threat Actors may abuse vSphere Installation Bundles (VIBs) to establish persistent access to ESXi hypervisors. VIBs are collections of files used for software distribution and virtual system management in VMware environments. Since ESXi uses an in-memory filesystem where changes made to most files are stored in RAM rather than in persistent storage, these modifications are lost after a reboot. However, VIBs can be used to create startup tasks, apply custom firewall rules, or deploy binaries that persist across reboots. Typically, administrators use VIBs for updates and system maintenance.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.