ESXi Network Configuration Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.

Sigma rule (View on GitHub)

 1title: ESXi Network Configuration Discovery Via ESXCLI
 2id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174
 3status: test
 4description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
 5references:
 6    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
 7    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html
 8author: Cedric Maurugeon
 9date: 2023-09-04
10tags:
11    - attack.discovery
12    - attack.execution
13    - attack.t1033
14    - attack.t1007
15    - attack.t1059.012
16logsource:
17    category: process_creation
18    product: linux
19detection:
20    selection_img:
21        Image|endswith: '/esxcli'
22        CommandLine|contains: 'network'
23    selection_cli:
24        CommandLine|contains:
25            - ' get'
26            - ' list'
27    condition: all of selection_*
28falsepositives:
29    - Legitimate administration activities
30# Note: level can be reduced to low in some envs
31level: medium

References

Related rules

to-top