Check VMWare DeviceMap

Hunt Hypothesis

The hypothesis is that an adversary may be using VMware DeviceMap to enumerate or manipulate virtual hardware configurations, potentially leading to privilege escalation or persistence. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or system compromise attempts that evade traditional detection methods.

YARA Rule

rule Check_VMWare_DeviceMap
{
	meta:
		Author = "Nick Hoffman"
		Description = "Checks for the existence of VmWare Registry Keys"
		Sample = "de1af0e97e94859d372be7fcf3a5daa5"
	strings:
		$key = "HARDWARE\\DEVICEMAP\\Scsi\\Scsi Port 0\\Scsi Bus 0\\Target Id 0\\Logical Unit Id 0" wide ascii nocase
		$value = "Identifier" wide nocase ascii
		$data = "VMware" wide nocase ascii
	condition:
		all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: VMware vSphere Client Configuration Backup
  Description: A scheduled backup job using VMware vSphere Client or PowerCLI is exporting the DeviceMap configuration as part of a routine backup process.
  Filter/Exclusion: Exclude files with the .vmx or .vmdk extension, or filter by file paths containing backup/ or snapshot/.

• Scenario: VMware vCenter Server Maintenance Task
  Description: An admin task such as reconfiguring storage or updating device mappings via vCenter Server triggers the DeviceMap file to be modified.
  Filter/Exclusion: Exclude files modified by vCenter Server (e.g., files in /var/log/vmware/ or with vpxd in the process name).

• Scenario: VMware ESXi Host Configuration Update
  Description: A manual or automated configuration update on an ESXi host (e.g., via esxcli or vicfg command-line tools) changes the DeviceMap file.
  Filter/Exclusion: Exclude files with timestamps matching known maintenance windows or filter by process names like esxcli or vicfg.

• Scenario: VMware vSAN Health Check Tool
  Description: A vSAN health check tool or vSAN performance diagnostics tool generates or modifies the DeviceMap file during a system scan.
  Filter/Exclusion: Exclude files created by tools like vSAN Health Check or filter by file paths containing vsan/ or health/.

• Scenario: VMware vSphere PowerCLI Script Execution
  Description: A PowerCLI script is run to reconfigure storage or devices, which alters the DeviceMap file as part of the script’s operation.