ESXi VM List Discovery Via ESXCLI

Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.

Sigma rule (View on GitHub)

 1title: ESXi VM List Discovery Via ESXCLI
 2id: 5f1573a7-363b-4114-9208-ad7a61de46eb
 3status: test
 4description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
 5references:
 6    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
 7    - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html
 8    - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
 9    - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
10author: Cedric Maurugeon
11date: 2023/09/04
12tags:
13    - attack.discovery
14    - attack.t1033
15    - attack.t1007
16logsource:
17    category: process_creation
18    product: linux
19detection:
20    selection:
21        Image|endswith: '/esxcli'
22        CommandLine|contains: 'vm process'
23        CommandLine|endswith: ' list'
24    condition: selection
25falsepositives:
26    - Legitimate administration activities
27level: medium

References

Related rules

to-top