ESXi Network Configuration Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
Sigma rule (View on GitHub)
1title: ESXi Network Configuration Discovery Via ESXCLI
2id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174
3status: test
4description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
5references:
6 - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
7 - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html
8author: Cedric Maurugeon
9date: 2023-09-04
10tags:
11 - attack.discovery
12 - attack.t1033
13 - attack.t1007
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection_img:
19 Image|endswith: '/esxcli'
20 CommandLine|contains: 'network'
21 selection_cli:
22 CommandLine|contains:
23 - ' get'
24 - ' list'
25 condition: all of selection_*
26falsepositives:
27 - Legitimate administration activities
28# Note: level can be reduced to low in some envs
29level: medium
References
Related rules
- ESXi Storage Information Discovery Via ESXCLI
- ESXi System Information Discovery Via ESXCLI
- ESXi VM List Discovery Via ESXCLI
- ESXi VSAN Information Discovery Via ESXCLI
- Whoami.EXE Execution Anomaly