ESXi Storage Information Discovery Via ESXCLI

calendar Nov 20, 2024 · attack.discovery attack.t1033 attack.t1007  ·
Share on: linkedin copy

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

Sigma rule (View on GitHub)

 1title: ESXi Storage Information Discovery Via ESXCLI
 2id: f41dada5-3f56-4232-8503-3fb7f9cf2d60
 3status: test
 4description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
 5references:
 6    - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
 7    - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
 8    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html
 9author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
10date: 2023-09-04
11tags:
12    - attack.discovery
13    - attack.t1033
14    - attack.t1007
15logsource:
16    category: process_creation
17    product: linux
18detection:
19    selection_img:
20        Image|endswith: '/esxcli'
21        CommandLine|contains: 'storage'
22    selection_cli:
23        CommandLine|contains:
24            - ' get'
25            - ' list'
26    condition: all of selection_*
27falsepositives:
28    - Legitimate administration activities
29# Note: level can be reduced to low in some envs
30level: medium

References

Related rules

to-top