{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/vmware-esxi/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["VMware ESXi"],"_cs_severities":["medium"],"_cs_tags":["esxi","vmware","discovery"],"_cs_type":"advisory","_cs_vendors":["VMware"],"content_html":"\u003cp\u003eThe detection focuses on identifying the execution of ESXCLI commands specifically used for virtual machine discovery within a VMware ESXi environment. While legitimate administrators utilize these commands for troubleshooting and management, their presence can also signal malicious reconnaissance activities by threat actors. This reconnaissance could be aimed at identifying critical VMs, mapping the virtual infrastructure, or laying the groundwork for subsequent attacks like data exfiltration or ransomware deployment. This activity is particularly relevant to organizations heavily reliant on virtualization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e The attacker gains initial access to the ESXi host, potentially through credential compromise, exploiting a vulnerability, or social engineering.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The attacker authenticates to the ESXi host, possibly using stolen credentials or a compromised account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCommand Execution:\u003c/strong\u003e The attacker executes ESXCLI commands to list virtual machines. This involves commands containing \u0026quot;esxcli vm process\u0026quot; and \u0026quot;list\u0026quot;.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e The ESXi host processes the ESXCLI command, retrieving information about the virtual machines running on the host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e The attacker analyzes the output of the ESXCLI command to identify high-value targets, map the virtual environment, and plan further actions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Potential):\u003c/strong\u003e Based on the gathered information, the attacker may attempt to move laterally to other systems within the virtual environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Theft/Destructive Operations (Potential):\u003c/strong\u003e The attacker may attempt to steal sensitive data from the targeted virtual machines or perform destructive actions, such as encrypting or deleting data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful execution of ESXCLI commands for VM discovery can provide attackers with a comprehensive understanding of the virtual infrastructure. This knowledge can be leveraged to identify critical assets, facilitate lateral movement, and ultimately lead to data theft, system disruption, or ransomware deployment. Depending on the scope and sensitivity of the compromised VMs, the impact could range from business disruption to significant financial losses.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable VMWare ESXi Syslog and ingest into your SIEM to detect malicious activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;ESXi VM Discovery\u0026quot; to your SIEM and tune for your environment to detect suspicious ESXCLI command usage.\u003c/li\u003e\n\u003cli\u003eInvestigate any detected instances of ESXCLI commands being used for VM discovery, especially when originating from non-administrative accounts.\u003c/li\u003e\n\u003cli\u003eMonitor user accounts, especially those with elevated privileges, for suspicious behavior.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-02-esxi-vm-discovery/","summary":"Adversaries may use ESXCLI commands to discover virtual machines on an ESXi host, potentially indicating reconnaissance for high-value targets, environment mapping, or preparation for data theft or destructive operations.","title":"ESXi VM Discovery via ESXCLI Commands","url":"https://feed.craftedsignal.io/briefs/2024-01-02-esxi-vm-discovery/"}],"language":"en","title":"CraftedSignal Threat Feed - VMware ESXi","version":"https://jsonfeed.org/version/1.1"}