Adversaries may use the ESXCLI command to enumerate ESXi virtual machines, leveraging T1033 to gather system information and T1007 to execute commands with elevated privileges. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential lateral movement or reconnaissance activities in virtualized environments.
Detection Rule
title: ESXi VM List Discovery Via ESXCLI
id: 5f1573a7-363b-4114-9208-ad7a61de46eb
status: test
description: Detects execution of the "esxcli" command with the "vm" flag in order to retrieve information about the installed VMs.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
- https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'vm process'
CommandLine|endswith: ' list'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
imProcessCreate
| where TargetProcessName endswith "/esxcli" and TargetProcessCommandLine contains "vm process" and TargetProcessCommandLine endswith " list"Scenario: Scheduled VM Inventory Sync via vCenter
Description: A scheduled job in vCenter runs esxcli commands to synchronize VM inventory with a backup or management system.
Filter/Exclusion: Check for esxcli system settings get or esxcli system settings set commands, or filter by process name vmware-vpxd or vpxd.
Scenario: VMware vSphere Client Configuration Task
Description: An administrator uses the vSphere Client to configure VM settings, which may trigger esxcli commands under the hood during configuration changes.
Filter/Exclusion: Filter by user account (e.g., root or [email protected]) or check for known configuration tasks like esxcli system settings set.
Scenario: VMware Host Client VM Management
Description: An admin uses the VMware Host Client to manage VMs, which may result in esxcli command execution for tasks like power on/off or snapshot management.
Filter/Exclusion: Filter by process name vmware-hostd or check for known VM management commands like esxcli vm process list.
Scenario: VMware vSphere Update Manager (VUM) Task
Description: A VUM task runs to apply patches or updates to ESXi hosts, which may involve esxcli commands for system configuration or patching.
Filter/Exclusion: Check for esxcli software vib list or esxcli software vib install, or filter by process name vpxd or vum.
Scenario: VMware vSAN Health Check Script
Description: A script or tool running a health check for vSAN may use esxcli to gather VM and host information.