ESXi VM List Discovery Via ESXCLI

calendar Sep 6, 2023 · attack.discovery attack.t1033 attack.t1007  ·
Share on: linkedin copy

Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.

Sigma rule (View on GitHub)

 1title: ESXi VM List Discovery Via ESXCLI
 2id: 5f1573a7-363b-4114-9208-ad7a61de46eb
 3status: experimental
 4description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
 5references:
 6    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
 7    - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html
 8    - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
 9    - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
10author: Cedric Maurugeon
11date: 2023/09/04
12tags:
13    - attack.discovery
14    - attack.t1033
15    - attack.t1007
16logsource:
17    category: process_creation
18    product: linux
19detection:
20    selection:
21        Image|endswith: '/esxcli'
22        CommandLine|contains: 'vm process'
23        CommandLine|endswith: ' list'
24    condition: selection
25falsepositives:
26    - Legitimate administration activities
27level: medium

References

Related rules

to-top