Adversaries may use ESXi Storage Information Discovery via ESXCLI to gather storage configuration details, potentially identifying sensitive data or system structures. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage reconnaissance activities that could lead to data exfiltration or persistence.
Detection Rule
title: ESXi Storage Information Discovery Via ESXCLI
id: f41dada5-3f56-4232-8503-3fb7f9cf2d60
status: test
description: Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_storage.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'storage'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
imProcessCreate
| where (TargetProcessName endswith "/esxcli" and TargetProcessCommandLine contains "storage") and (TargetProcessCommandLine contains " get" or TargetProcessCommandLine contains " list")Scenario: System Maintenance Task
Description: An administrator runs the esxcli storage vmfs command as part of routine system maintenance or storage configuration.
Filter/Exclusion: Exclude commands executed by the root user within the esxcli storage vmfs namespace during scheduled maintenance windows.
Example Filter: user = root and esxcli_cmd = "storage vmfs" and timestamp between [maintenance_window_start] and [maintenance_window_end]
Scenario: Storage Configuration Audit
Description: A security or compliance team performs an audit of storage configurations using the esxcli storage commands.
Filter/Exclusion: Exclude commands executed by users with the vSphere Admin role and within the esxcli storage namespace during audit activities.
Example Filter: user_role = "vSphere Admin" and esxcli_cmd = "storage" and event_type = "audit"
Scenario: Scheduled Storage Backup Job
Description: A backup tool (e.g., Veeam, Commvault) executes storage-related commands via the ESXCLI to gather information for backup purposes.
Filter/Exclusion: Exclude commands executed by backup tools or service accounts during backup windows.
Example Filter: process_name = "veeam" or process_name = "commvault" and esxcli_cmd = "storage" and timestamp between [backup_window_start] and [backup_window_end]
Scenario: Storage Performance Monitoring
Description: A monitoring tool (e.g., vRealize Operations, PRTG) runs ESXCLI commands to collect storage metrics for performance analysis.
Filter/Exclusion: Exclude commands executed by monitoring tools or service accounts during performance monitoring intervals.
Example Filter: `process_name = “vrops” or process