ESXI Discovery via Find
Identifies instances where the 'find' command is started on a Linux system with arguments targeting specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/04/11"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.5.0"
7updated_date = "2023/04/11"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies instances where the 'find' command is started on a Linux system with arguments targeting
13specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*".
14These paths are associated with VMware virtualization software, and their presence in the find command arguments
15may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files
16and configurations on the system.
17"""
18from = "now-9m"
19index = ["logs-endpoint.events.*"]
20language = "eql"
21license = "Elastic License v2"
22name = "ESXI Discovery via Find"
23references = [
24 "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
25]
26risk_score = 47
27rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f"
28severity = "medium"
29tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Discovery", "Data Source: Elastic Defend"]
30timestamp_override = "event.ingested"
31type = "eql"
32query = '''
33process where host.os.type == "linux" and event.type == "start" and process.name : "find" and
34process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1518"
42name = "Software Discovery"
43reference = "https://attack.mitre.org/techniques/T1518/"
44
45
46[rule.threat.tactic]
47id = "TA0007"
48name = "Discovery"
49reference = "https://attack.mitre.org/tactics/TA0007/"```
References
Related rules
- ESXI Discovery via Grep
- Enumeration of Kernel Modules
- Hping Process Activity
- Nping Process Activity
- SUID/SGUID Enumeration Detected