ESXi Storage Information Discovery Via ESXCLI

calendar May 21, 2025 · attack.discovery attack.execution attack.t1033 attack.t1007 attack.t1059.012  ·
Share on: linkedin copy

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

Sigma rule (View on GitHub)

 1title: ESXi Storage Information Discovery Via ESXCLI
 2id: f41dada5-3f56-4232-8503-3fb7f9cf2d60
 3status: test
 4description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
 5references:
 6    - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
 7    - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
 8    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html
 9author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
10date: 2023-09-04
11tags:
12    - attack.discovery
13    - attack.execution
14    - attack.t1033
15    - attack.t1007
16    - attack.t1059.012
17logsource:
18    category: process_creation
19    product: linux
20detection:
21    selection_img:
22        Image|endswith: '/esxcli'
23        CommandLine|contains: 'storage'
24    selection_cli:
25        CommandLine|contains:
26            - ' get'
27            - ' list'
28    condition: all of selection_*
29falsepositives:
30    - Legitimate administration activities
31# Note: level can be reduced to low in some envs
32level: medium

References

Related rules

to-top