ESXi VM List Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
Sigma rule (View on GitHub)
1title: ESXi VM List Discovery Via ESXCLI
2id: 5f1573a7-363b-4114-9208-ad7a61de46eb
3status: test
4description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
5references:
6 - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
7 - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
8 - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
9 - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
10author: Cedric Maurugeon
11date: 2023-09-04
12tags:
13 - attack.discovery
14 - attack.execution
15 - attack.t1033
16 - attack.t1007
17 - attack.t1059.012
18logsource:
19 category: process_creation
20 product: linux
21detection:
22 selection:
23 Image|endswith: '/esxcli'
24 CommandLine|contains: 'vm process'
25 CommandLine|endswith: ' list'
26 condition: selection
27falsepositives:
28 - Legitimate administration activities
29level: medium
References
Related rules
- ESXi Network Configuration Discovery Via ESXCLI
- ESXi Storage Information Discovery Via ESXCLI
- ESXi System Information Discovery Via ESXCLI
- ESXi VSAN Information Discovery Via ESXCLI
- HackTool - PCHunter Execution