Adversaries may use ESXi Network Configuration Discovery Via ESXCLI to gather network information and identify potential attack vectors within the virtualized environment. SOC teams should proactively hunt for this behavior as it indicates reconnaissance activity that could precede lateral movement or data exfiltration in a cloud infrastructure.
Detection Rule
title: ESXi Network Configuration Discovery Via ESXCLI
id: 33e814e0-1f00-4e43-9c34-31fb7ae2b174
status: test
description: Detects execution of the "esxcli" command with the "network" flag in order to retrieve information about the network configuration.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'network'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
imProcessCreate
| where (TargetProcessName endswith "/esxcli" and TargetProcessCommandLine contains "network") and (TargetProcessCommandLine contains " get" or TargetProcessCommandLine contains " list")Scenario: Scheduled ESXi Host Maintenance Task
Description: A scheduled task runs esxcli network commands as part of routine host maintenance, such as updating network configurations or applying security patches.
Filter/Exclusion: Check for the presence of esxcli network in tasks with names like HostMaintenanceTask or NetworkConfigUpdate, or filter by user root with a known maintenance schedule.
Scenario: VMware vSphere Client Configuration Changes
Description: An administrator uses the vSphere Client to modify network settings, which may trigger the esxcli command internally during configuration sync.
Filter/Exclusion: Filter events where the command is executed via the vSphere Client UI (e.g., esxcli invoked through vmrun or vSphere Client session), or exclude commands related to network vswitch or portgroup modifications.
Scenario: Automated Network Monitoring Tool Integration
Description: A third-party network monitoring tool (e.g., PRTG, Nagios, or SolarWinds) periodically runs esxcli commands to gather network interface statistics or configuration data.
Filter/Exclusion: Exclude commands executed by known monitoring tools (e.g., esxcli network ip get from PRTG or Nagios scripts), or filter by source IP of the monitoring system.
Scenario: ESXi Host Profile Application
Description: An administrator applies a host profile via vSphere Client, which may involve running esxcli commands to configure network settings based on predefined templates.
Filter/Exclusion: Filter for esxcli commands executed during profile application (e.g., esxcli network vswitch standard ip), or exclude commands with --profile or --template