Devcon Execution Disabling VMware VMCI Device

calendar Jan 24, 2026 · attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1543.003 attack.t1562.001  ·
Share on: linkedin copy

Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device. This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device. This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.

Sigma rule (View on GitHub)

 1title: Devcon Execution Disabling VMware VMCI Device
 2id: 85f520e7-6f5e-43ca-874c-222e5bf9c0de
 3status: experimental
 4description: |
 5    Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
 6    This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
 7    This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.    
 8references:
 9    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon
10    - https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060
11    - https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV
12    - https://huntress.com/blog/esxi-vm-escape-exploit
13author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
14date: 2026-01-02
15tags:
16    - attack.defense-evasion
17    - attack.persistence
18    - attack.privilege-escalation
19    - attack.t1543.003
20    - attack.t1562.001
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection_img:
26        - Image|endswith: '\devcon.exe'
27        - OriginalFileName: 'DevCon.exe'
28    selection_action:
29        CommandLine|contains: ' disable '
30    selection_vmci_pci:
31        CommandLine|contains:
32            - '15AD&DEV_0740' # VMware VMCI PCI device (Vendor 0x15AD = VMware, Device 0x0740 = VMCI)
33            - 'VMWVMCIHOSTDEV' # VMware VMCI root host device driver name
34    condition: all of selection_*
35falsepositives:
36    - Legitimate VMware administration, Tools installation/uninstallation, or troubleshooting driver conflicts.
37    - Automated scripts in virtualized environments for device cleanup.
38level: high
39regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml

References

Related rules

to-top