Adversaries may use ESXi system information discovery via ESXCLI to gather host details and identify potential attack surfaces within the virtualization environment. SOC teams should proactively hunt for this behavior to detect early-stage reconnaissance activities that could lead to deeper system compromise in Azure Sentinel.
Detection Rule
title: ESXi System Information Discovery Via ESXCLI
id: e80273e1-9faf-40bc-bd85-dbaff104c4e9
status: test
description: Detects execution of the "esxcli" command with the "system" flag in order to retrieve information about the different component of the system. Such as accounts, modules, NTP, etc.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
level: medium
imProcessCreate
| where (TargetProcessName endswith "/esxcli" and TargetProcessCommandLine contains "system") and (TargetProcessCommandLine contains " get" or TargetProcessCommandLine contains " list")Scenario: Scheduled ESXi Host Maintenance Task
Description: A legitimate scheduled task runs esxcli system information get as part of routine host health checks or inventory collection.
Filter/Exclusion: Check for command_line containing --schedule or --interval flags, or filter by user field matching the system maintenance account.
Scenario: VMware vCenter Server Health Monitoring Tool
Description: A third-party or internal monitoring tool uses esxcli to gather system information from ESXi hosts as part of a health check.
Filter/Exclusion: Filter by source_ip matching the internal monitoring server, or check for command_line containing --monitoring or --health.
Scenario: ESXi Host Configuration Backup Script
Description: A script used to back up ESXi host configurations includes esxcli system information get to capture system details for archival purposes.
Filter/Exclusion: Filter by command_line containing --backup or --archive, or check for process_name matching a known backup tool (e.g., backup_script.sh).
Scenario: ESXi Host Firmware Update Process
Description: During a firmware update, the ESXi host may execute esxcli commands to gather system information before applying the update.
Filter/Exclusion: Check for command_line containing --update or --firmware, or filter by process_name matching the firmware update tool (e.g., update_firmware.sh).
Scenario: ESXi Host Inventory Sync with vCenter
Description: The ESXi host synchronizes its inventory information with vCenter, which may involve executing esxcli system information get as part of the sync process.
*