ESXI Discovery via Find

Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2023/04/11"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.5.0"
 7updated_date = "2023/04/11"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies instances where the 'find' command is started on a Linux system with arguments targeting
13specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*".
14These paths are associated with VMware virtualization software, and their presence in the find command arguments
15may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files
16and configurations on the system.
17"""
18from = "now-9m"
19index = ["logs-endpoint.events.*"]
20language = "eql"
21license = "Elastic License v2"
22name = "ESXI Discovery via Find"
23references = [
24    "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
25]
26risk_score = 47
27rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f"
28severity = "medium"
29tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
30timestamp_override = "event.ingested"
31type = "eql"
32query = '''
33process where host.os.type == "linux" and event.type == "start" and process.name : "find" and
34process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1518"
42name = "Software Discovery"
43reference = "https://attack.mitre.org/techniques/T1518/"
44
45
46[rule.threat.tactic]
47id = "TA0007"
48name = "Discovery"
49reference = "https://attack.mitre.org/tactics/TA0007/"```

References

Related rules

to-top