ESXi Network Configuration Discovery Via ESXCLI

 1title: ESXi Network Configuration Discovery Via ESXCLI
 2id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174
 3status: experimental
 4description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
 5references:
 6    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
 7    - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_network.html
 8author: Cedric Maurugeon
 9date: 2023/09/04
10tags:
11    - attack.discovery
12    - attack.t1033
13    - attack.t1007
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection_img:
19        Image|endswith: '/esxcli'
20        CommandLine|contains: 'network'
21    selection_cli:
22        CommandLine|contains:
23            - ' get'
24            - ' list'
25    condition: all of selection_*
26falsepositives:
27    - Legitimate administration activities
28# Note: level can be reduced to low in some envs
29level: medium

References

• Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware

  

  CrowdStrike outlines the new campaigns that have been observed targeting ESXi systems and specific defensive controls that can protect these critical assets.

  
  Read More

• Online Documentation - ESXi 7.0 ESXCLI Command Reference - VMware {code}

  ESXi 7.0 ESXCLI Command Reference The document does not exist or no topics available. Display Table of Contents No results found, please try refining your search.

  
  Read More

Related rules

• ESXi Storage Information Discovery Via ESXCLI
• ESXi System Information Discovery Via ESXCLI
• ESXi VM List Discovery Via ESXCLI
• ESXi VSAN Information Discovery Via ESXCLI
• HackTool - PCHunter Execution