ESXi VSAN Information Discovery Via ESXCLI
Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
Sigma rule (View on GitHub)
1title: ESXi VSAN Information Discovery Via ESXCLI
2id: d54c2f06-aca9-4e2b-81c9-5317858f4b79
3status: test
4description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
5references:
6 - https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
7 - https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
8 - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html
9author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
10date: 2023-09-04
11tags:
12 - attack.discovery
13 - attack.t1033
14 - attack.t1007
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection_img:
20 Image|endswith: '/esxcli'
21 CommandLine|contains: 'vsan'
22 selection_cli:
23 CommandLine|contains:
24 - ' get'
25 - ' list'
26 condition: all of selection_*
27falsepositives:
28 - Legitimate administration activities
29# Note: level can be reduced to low in some envs
30level: medium
References
Related rules
- ESXi Network Configuration Discovery Via ESXCLI
- ESXi Storage Information Discovery Via ESXCLI
- ESXi System Information Discovery Via ESXCLI
- ESXi VM List Discovery Via ESXCLI
- Cisco Discovery