Techniques
Sample rules
ESXi VM Discovery
- source: splunk
- technicques:
- T1673
Description
This detection identifies the use of ESXCLI commands to discover virtual machines on an ESXi host While used by administrators, this activity may also indicate adversary reconnaissance aimed at identifying high value targets, mapping the virtual environment, or preparing for data theft or destructive operations.
Detection logic
`esxi_syslog` Message="*esxcli vm process*" Message="*list*"
| rex field=_raw "\]: \[(?<user>\w+)\]:(?<command>.+)"
| rex field=_raw "Z (?<dest>[\w\.]+)\s"
| stats min(_time) as firstTime max(_time) as lastTime count by dest user command
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `esxi_vm_discovery_filter`
ESXi System Information Discovery
- source: splunk
- technicques:
- T1082
Description
This detection identifies the use of ESXCLI system-level commands that retrieve configuration details. While used for legitimate administration, this behavior may also indicate adversary reconnaissance aimed at profiling the ESXi host’s capabilities, build information, or system role in preparation for further compromise.
Detection logic
`esxi_syslog` Message="*system*" AND Message="*esxcli*" AND Message IN ("*get*","*list*") AND Message="*user=*" NOT Message="*filesystem*"
| rex field=_raw "user=(?<user>\w+)\]\s+Dispatch\s+(?<command>[^\s]+)"
| rex field=_raw "Z (?<dest>[\w\.]+)\s"
| stats min(_time) as firstTime max(_time) as lastTime count by dest user command
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `esxi_system_information_discovery_filter`
ESXi VM Exported via Remote Tool
- source: splunk
- technicques:
- T1005
Description
This detection identifies the use of a remote tool to download virtual machine disk files from a datastore. The NFC protocol is used by management tools to transfer files to and from ESXi hosts, but it can also be abused by attackers or insiders to exfiltrate full virtual disk images
Detection logic
`esxi_syslog` Message="*File download from path*" Message="*was initiated from*"
| rex field=_raw "from path '\[(?<Datastore>[^\]]+)\](?<VMPath>[^']+)'"
| rex field=_raw "initiated from '(?<InitiatorTool>[^/]+)/(?<ToolVersion>[^@]+)@(?<InitiatorIP>\d{1,3}(?:\.\d{1,3}){3})'"
| rex field=_raw "Z (?<dest>[\w\.]+)\s"
| stats min(_time) as firstTime max(_time) as lastTime count by Datastore VMPath InitiatorTool ToolVersion InitiatorIP dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `esxi_vm_exported_via_remote_tool_filter`