InfinitumIT
Analysis Report

Trusted Process Abuse: Why Doesn't MDE See the Command Hidden Behind vmtoolsd?

The anatomy of an EDR blind spot on Microsoft Defender for Endpoint: why the PowerShell command spawned under vmtoolsd via vSphere Guest Operations doesn't raise an alarm in DeviceProcessEvents, and how to close the gap with an Advanced Hunting query and a Custom Detection Rule.

03.07.2026 · 7 min read · InfinitumIT
Trusted Process Abuse: Why Doesn't MDE See the Command Hidden Behind vmtoolsd?

The anatomy of an EDR blind spot in Microsoft Defender for Endpoint: where the detection gap opens up, how to close it with Advanced Hunting, and how Microsoft frames this class of risk.

Introduction

Most modern EDR/XDR products no longer decide based on signatures but on behavior: which process launched which process, the shape of the command line, and whether the parent chain looks "normal." This approach has largely left file-based detection behind, but it introduced a new blind spot along with it — if the parent process is signed and trusted, most of the agent looks at the child process with almost no suspicion at all.

We tested this assumption in a lab environment: on VMware vSphere infrastructure, we looked at whether a PowerShell command sent from the hypervisor management plane down into a guest operating system would generate an alarm in six different EDR/XDR products. The result was a product-independent pattern — none of them saw anything in their default configuration. We shared this finding on July 1, 2026 as the INFINITUM-SA-2026-07-001 advisory. In this article we take a deep dive into that same case, specific to Microsoft Defender for Endpoint (MDE).

The Case: vmtoolsd and Guest Operations

The host-side component of VMware Tools, vmtoolsd.exe, is a VMware-signed service that is marked as trusted in nearly every endpoint agent's file reputation database. vSphere's GuestProcessManager.StartProgramInGuest API allows programs to be executed inside the guest VM through this service — it is a facility designed for entirely legitimate scenarios such as automation and agent deployment.

The critical detail here is this: this execution comes neither over the network (SMB/WinRM/RDP) nor from an interactive session. The command is born directly as a child process of vmtoolsd.exe via the VMX/hypervisor channel. In other words, the two major correlation sources the endpoint agent is used to — network telemetry and session telemetry — are out of the picture from the very beginning in this scenario.

Why EDRs Miss This

It would be misleading to reduce the miss cause we observed in the tests to a single factor; in fact there are four separate effects overlapping:

Reading this as a "product vulnerability" would be wrong. In none of the six products did process telemetry actually disappear — it's just that none of them turned it into an alarm in the default policy. The distinction matters, because the solution is shaped accordingly: what's missing is not visibility but correlation.

MDE Specifics: The Record Is There, the Alarm Isn't

MDE's process creation visibility is fed by a kernel-registered PsSetCreateProcessNotifyRoutineEx notification routine and complementary ETW (Event Tracing for Windows) providers. These events land in the DeviceProcessEvents table and carry the following fields:

  1. InitiatingProcessFileName, InitiatingProcessId — the reported parent
  2. FileName, ProcessCommandLine, AccountName — the child process
  3. InitiatingProcessParentFileName — the grand-parent (useful in chain analysis)
  4. ProcessUniqueId / InitiatingProcessUniqueId — instance-specific identifiers that eliminate the PID reuse problem

In our test environment, the powershell.exe process launched under vmtoolsd.exe was sitting there in DeviceProcessEvents as a complete row — including the command line. In other words, there is no loss at all in MDE's telemetry collection layer. What is missed is the default alarm logic sitting on top of it: a signed binary spawning a child process is evaluated as low-priority/high-noise weight by MDE's cloud-side behavioral models. This is a deliberate design choice aimed at keeping the false-positive rate low, but in practice it is the exact counterpart in MDE of the gap we saw in our VMware advisory.

Microsoft Defender for Endpoint vmtoolsd — figure 1

Advanced Hunting query

DeviceProcessEvents
| where InitiatingProcessFileName =~ "vmtoolsd.exe"
| where FileName in~ ("powershell.exe","pwsh.exe","cmd.exe",
"wscript.exe","cscript.exe","mshta.exe","rundll32.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName,
ProcessCommandLine, AccountName, InitiatingProcessParentFileName
| order by Timestamp desc

Detection Approach: From Advanced Hunting to a Custom Detection Rule

To add the query mentioned above to the MDE system as a rule, you can do the following:

Custom Detection Rules > Create detection rule:

Microsoft Defender for Endpoint vmtoolsd — figure 2

You can fill in the required fields as shown in the screenshot and then press the Add query button:

Microsoft Defender for Endpoint vmtoolsd — figure 3

You can test this query by entering it in the relevant field and then confirm it:

DeviceProcessEvents
| where InitiatingProcessFileName =~ "vmtoolsd.exe"
| where FileName in~ ("powershell.exe","pwsh.exe","cmd.exe",
"wscript.exe","cscript.exe","mshta.exe","rundll32.exe")
| project Timestamp, ReportId, DeviceId, DeviceName,
InitiatingProcessFileName, InitiatingProcessId, InitiatingProcessParentFileName,
FileName, FolderPath, ProcessCommandLine, SHA1,
AccountDomain, AccountName
| order by Timestamp desc

Microsoft Defender for Endpoint vmtoolsd — figure 4

You can configure the alarm settings according to your preference:

Microsoft Defender for Endpoint vmtoolsd — figure 5

At this stage you can determine the action to be taken after the alarm is triggered, but as noted earlier, taking an action right away is not recommended:

Microsoft Defender for Endpoint vmtoolsd — figure 6

In this section, you can define the scope of this rule within your organization:

Microsoft Defender for Endpoint vmtoolsd — figure 7

In the final step, after reviewing the rule you have created, you can press the Submit button:

Microsoft Defender for Endpoint vmtoolsd — figure 8

How Does Microsoft Address This?

Since vmtoolsd is a third-party component, Microsoft has no direct statement on it — but the same architectural gap also applies to Microsoft's own Azure Guest Agent / Run Command feature, and there we can clearly see the vendor's stance. In the Storm-0501 analyses on the Microsoft Security Blog (September 2024 and August 2025), Microsoft itself describes how the actors use Azure Run Command to execute scripts in the SYSTEM context without requiring RDP/SSH, and it labels this as a "visibility gap in hybrid cloud environments." As a solution, it does not consider MDE alone to be sufficient; it recommends deploying Defender for Cloud and Defender for Cloud Apps together with it.

In other words, the vendor's philosophy is this: "the legitimate use of a signed, authenticated tool coming from the management plane" is not a product vulnerability; the real control point is tightening access to that management plane. MDE deliberately does not produce a default alarm and leaves the responsibility of closing the gap to the customer, via a custom detection rule plus control-plane log correlation.

Closing

The vmtoolsd example is really only one member of a larger family. We see the same architectural pattern (executing a command from outside the OS, session-less, under a signed-trusted parent) in SCCM, Intune, cloud guest agents, and various RMM tools as well — we will cover that in a separate article. The real takeaway here is not to blame a single product: it's to see how easily the "signed = innocent" assumption that behavioral detection relies on can be flipped by an actor with access to the management plane. MDE is not losing visibility in this scenario; it is leaving the decision to you. Whether or not to write the custom detection rule means having already made that decision in advance.

Selman Bilal SİVRİ — L2/L3 MDR Analyst

InfinitumIT MDR — Detection Engineering & Threat Hunting

This article is based on the results of a controlled test and Rule Simulation carried out in a real Microsoft Defender for Endpoint environment.

Did you find this useful?

Be the first to receive our threat newsletters and MDR Insights reports.

Our team certifications

Experts accredited by SANS, Offensive Security, EC-Council, CompTIA, ISACA, CREST, and INE.

SANS GPEN
SANS GWAPT
SANS GICSP
SANS GRTP
SANS GCIH
SANS GSEC
Offensive Security OSCP
Offensive Security OSWP
EC-Council CEH
CompTIA Security+
ISACA CISM
ISACA CISA
CREST CRT
INE eWPTX
Fortinet FCP Secure Networking
Fortinet FCP Cloud Security
Fortinet FCP Security Operations
Fortinet FCSS Secure Networking
Fortinet FCSS SASE
Fortinet FCSS Cloud Security
Fortinet FCSS Security Operations
IBM QRadar Admin
SANS GPEN
SANS GWAPT
SANS GICSP
SANS GRTP
SANS GCIH
SANS GSEC
Offensive Security OSCP
Offensive Security OSWP
EC-Council CEH
CompTIA Security+
ISACA CISM
ISACA CISA
CREST CRT
INE eWPTX
Fortinet FCP Secure Networking
Fortinet FCP Cloud Security
Fortinet FCP Security Operations
Fortinet FCSS Secure Networking
Fortinet FCSS SASE
Fortinet FCSS Cloud Security
Fortinet FCSS Security Operations
IBM QRadar Admin

Cookie usage

We only use essential session and language preference cookies; no third-party tracking cookies. For details, see our Cookie Policy and KVKK Privacy Notice.