Adversaries may use ESXCLI commands to gather VSAN information from ESXi hosts, which can provide insights into storage configurations and potential targets. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential reconnaissance activities and early-stage compromises.
Detection Rule
title: ESXi VSAN Information Discovery Via ESXCLI
id: d54c2f06-aca9-4e2b-81c9-5317858f4b79
status: test
description: Detects execution of the "esxcli" command with the "vsan" flag in order to retrieve information about virtual storage. Seen used by malware such as DarkSide.
references:
- https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
- https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vsan.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.discovery
- attack.execution
- attack.t1033
- attack.t1007
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection_img:
Image|endswith: '/esxcli'
CommandLine|contains: 'vsan'
selection_cli:
CommandLine|contains:
- ' get'
- ' list'
condition: all of selection_*
falsepositives:
- Legitimate administration activities
# Note: level can be reduced to low in some envs
level: medium
imProcessCreate
| where (TargetProcessName endswith "/esxcli" and TargetProcessCommandLine contains "vsan") and (TargetProcessCommandLine contains " get" or TargetProcessCommandLine contains " list")Scenario: System Maintenance Task - ESXi Host Configuration Audit
Description: A system administrator runs esxcli vsan info as part of a routine host configuration audit to verify VSAN settings.
Filter/Exclusion: Check for the presence of a known maintenance task or script that includes the command in a documented maintenance procedure. Use a filter like:
event_id = "VMWARE-ESXCLI-VSAN-INFO" AND source_ip IN (known_admin_ips) AND command_line LIKE "%vsan info%"Scenario: Scheduled Job for VSAN Health Monitoring
Description: A scheduled job configured via vCenter or a third-party monitoring tool executes esxcli vsan info periodically to check VSAN health.
Filter/Exclusion: Filter by job name or source process, such as:
event_id = "VMWARE-ESXCLI-VSAN-INFO" AND source_process = "vpxa" OR source_process = "vsan-health-check"Scenario: VSAN Troubleshooting by Support Engineer
Description: A VMware support engineer or enterprise support team member runs esxcli vsan info to diagnose a VSAN-related issue.
Filter/Exclusion: Include a filter for known support IP ranges or user roles, such as:
event_id = "VMWARE-ESXCLI-VSAN-INFO" AND source_ip IN (support_ip_range) OR user_role = "VMware Support"Scenario: Automation Script for VSAN Configuration Backup
Description: A custom automation script or tool (e.g., Ansible, Puppet) runs esxcli vsan info as part of a backup or configuration management process.
Filter/Exclusion: Check for script