ESXi VM List Discovery Via ESXCLI

calendar May 21, 2025 · attack.discovery attack.execution attack.t1033 attack.t1007 attack.t1059.012  ·
Share on: linkedin copy

Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.

Sigma rule (View on GitHub)

 1title: ESXi VM List Discovery Via ESXCLI
 2id: 5f1573a7-363b-4114-9208-ad7a61de46eb
 3status: test
 4description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
 5references:
 6    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
 7    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
 8    - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
 9    - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
10author: Cedric Maurugeon
11date: 2023-09-04
12tags:
13    - attack.discovery
14    - attack.execution
15    - attack.t1033
16    - attack.t1007
17    - attack.t1059.012
18logsource:
19    category: process_creation
20    product: linux
21detection:
22    selection:
23        Image|endswith: '/esxcli'
24        CommandLine|contains: 'vm process'
25        CommandLine|endswith: ' list'
26    condition: selection
27falsepositives:
28    - Legitimate administration activities
29level: medium

References

Related rules

to-top