Skip to content
Threat Feed
medium advisory

ESXi System Information Discovery via ESXCLI

Adversaries may use ESXCLI system-level commands to retrieve configuration details on VMware ESXi hosts for reconnaissance purposes, potentially leading to further compromise.

This threat brief focuses on the use of ESXCLI commands to gather system information on VMware ESXi hosts. While ESXCLI is a legitimate tool for system administration, malicious actors can leverage it to perform reconnaissance activities. This includes profiling the ESXi host's capabilities, build information, and system role. Such information gathering is often a precursor to further malicious activities, such as exploiting vulnerabilities or deploying ransomware like Black Basta. The technique is identified via analysis of VMWare ESXi Syslog events.

Attack Chain

  1. The attacker gains initial access to a system with ESXCLI execution capabilities, potentially through compromised credentials or a vulnerability.
  2. The attacker executes ESXCLI commands with "get" or "list" parameters to query system information.
  3. Specific commands like esxcli system version get or esxcli hardware memory get are used to gather details about the ESXi host.
  4. The ESXi host logs the execution of these commands in its syslog, recording the user, command, and destination.
  5. The attacker analyzes the gathered information to identify potential vulnerabilities, misconfigurations, or weaknesses in the ESXi environment.
  6. Based on the reconnaissance findings, the attacker plans subsequent actions, such as exploiting identified vulnerabilities.
  7. The attacker attempts lateral movement to other ESXi hosts or virtual machines within the environment.
  8. The final objective could involve deploying ransomware, exfiltrating sensitive data, or disrupting critical services.

Impact

Successful reconnaissance of ESXi hosts can provide attackers with critical information needed to compromise the entire virtualized environment. This can lead to data breaches, service disruptions, and significant financial losses. VMware ESXi infrastructure is present in a wide array of organizations across various sectors, making this reconnaissance technique a broad concern. The Black Basta ransomware group has been known to target ESXi environments, highlighting the real-world consequences of successful ESXi compromise.

Recommendation

  • Configure ESXi hosts to forward syslog output to a centralized logging system for analysis (VMWare ESXi Syslog).
  • Deploy the Sigma rule ESXi System Information Discovery to detect suspicious ESXCLI command execution in your SIEM.
  • Review and tune the ESXi System Information Discovery rule to minimize false positives based on legitimate administrator activity.
  • Investigate any alerts generated by the ESXi System Information Discovery rule to determine if the activity is authorized.

Detection coverage 2

ESXi System Information Discovery

medium

Detects the use of ESXCLI system-level commands to retrieve configuration details on ESXi hosts.

sigma tactics: discovery techniques: T1082 sources: syslog, vmware

ESXi ESXCLI Command Execution with Destination

info

Detects ESXCLI command execution on ESXi with destination information.

sigma tactics: discovery techniques: T1082 sources: syslog, vmware

Detection queries are available on the platform. Get full rules →