ESXi System Information Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.

Sigma rule (View on GitHub)

 1title: ESXi System Information Discovery Via ESXCLI
 2id: e80273e1-9faf-40bc-bd85-dbaff104c4e9
 3status: test
 4description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
 5references:
 6    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
 7    - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html
 8author: Cedric Maurugeon
 9date: 2023/09/04
10tags:
11    - attack.discovery
12    - attack.t1033
13    - attack.t1007
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection_img:
19        Image|endswith: '/esxcli'
20        CommandLine|contains: 'system'
21    selection_cli:
22        CommandLine|contains:
23            - ' get'
24            - ' list'
25    condition: all of selection_*
26falsepositives:
27    - Legitimate administration activities
28level: medium

References

Related rules

to-top