ESXi Storage Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
Sigma rule (View on GitHub)
1title: ESXi Storage Information Discovery Via ESXCLI
2id: f41dada5-3f56-4232-8503-3fb7f9cf2d60
3status: test
4description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
5references:
6 - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
7 - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
8 - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html
9author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
10date: 2023-09-04
11tags:
12 - attack.discovery
13 - attack.t1033
14 - attack.t1007
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection_img:
20 Image|endswith: '/esxcli'
21 CommandLine|contains: 'storage'
22 selection_cli:
23 CommandLine|contains:
24 - ' get'
25 - ' list'
26 condition: all of selection_*
27falsepositives:
28 - Legitimate administration activities
29# Note: level can be reduced to low in some envs
30level: medium
References
Related rules
- ESXi Network Configuration Discovery Via ESXCLI
- ESXi System Information Discovery Via ESXCLI
- ESXi VM List Discovery Via ESXCLI
- ESXi VSAN Information Discovery Via ESXCLI
- Cisco Discovery