ESXi System Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
Sigma rule (View on GitHub)
1title: ESXi System Information Discovery Via ESXCLI
2id: e80273e1-9faf-40bc-bd85-dbaff104c4e9
3status: test
4description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
5references:
6 - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
7 - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
8author: Cedric Maurugeon
9date: 2023-09-04
10tags:
11 - attack.discovery
12 - attack.t1033
13 - attack.t1007
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection_img:
19 Image|endswith: '/esxcli'
20 CommandLine|contains: 'system'
21 selection_cli:
22 CommandLine|contains:
23 - ' get'
24 - ' list'
25 condition: all of selection_*
26falsepositives:
27 - Legitimate administration activities
28level: medium
References
-
CrowdStrike outlines the new campaigns that have been observed targeting ESXi systems and specific defensive controls that can protect these critical assets.
Read More -
Command Description Options Help system account add Create a new local user account. --description | -d User description, e.g. full name. --id | -i User ID, e.g. "administrator". (required) --passw...
Read More
Related rules
- ESXi Network Configuration Discovery Via ESXCLI
- ESXi Storage Information Discovery Via ESXCLI
- ESXi VM List Discovery Via ESXCLI
- ESXi VSAN Information Discovery Via ESXCLI
- Whoami.EXE Execution Anomaly