ESXi VSAN Information Discovery Via ESXCLI

calendar Sep 6, 2023 · attack.discovery attack.t1033 attack.t1007  ·
Share on: linkedin copy

Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.

Sigma rule (View on GitHub)

 1title: ESXi VSAN Information Discovery Via ESXCLI
 2id: d54c2f06-aca9-4e2b-81c9-5317858f4b79
 3status: experimental
 4description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
 5references:
 6    - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
 7    - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
 8    - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html
 9author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
10date: 2023/09/04
11tags:
12    - attack.discovery
13    - attack.t1033
14    - attack.t1007
15logsource:
16    category: process_creation
17    product: linux
18detection:
19    selection_img:
20        Image|endswith: '/esxcli'
21        CommandLine|contains: 'vsan'
22    selection_cli:
23        CommandLine|contains:
24            - ' get'
25            - ' list'
26    condition: all of selection_*
27falsepositives:
28    - Legitimate administration activities
29# Note: level can be reduced to low in some envs
30level: medium

References

Related rules

to-top