| ID | Technique | Tactic |
|---|---|---|
| T1082 | System Information Discovery | Discovery |
Detection: ESXi System Information Discovery
Description
This detection identifies the use of ESXCLI system-level commands that retrieve configuration details. While used for legitimate administration, this behavior may also indicate adversary reconnaissance aimed at profiling the ESXi host's capabilities, build information, or system role in preparation for further compromise.
Search
1`esxi_syslog` Message="*system*" AND Message="*esxcli*" AND Message IN ("*get*","*list*") AND Message="*user=*" NOT Message="*filesystem*"
2| rex field=_raw "user=(?<user>\w+)\]\s+Dispatch\s+(?<command>[^\s]+)"
3| rex field=_raw "Z (?<dest>[\w\.]+)\s"
4| stats min(_time) as firstTime max(_time) as lastTime count by dest user command
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| `esxi_system_information_discovery_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| VMWare ESXi Syslog | N/A | 'vmw-syslog' |
'vmware:esxlog' |
Macros Used
| Name | Value |
|---|---|
| esxi_syslog | sourcetype=vmw-syslog OR sourcetype=vmware:esxlog* |
| esxi_system_information_discovery_filter | search * |
esxi_system_information_discovery_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.CM
CIS 10
APT19
APT3
APT32
APT37
APT38
APT41
APT42
Aquatic Panda
BlackByte
Blue Mockingbird
CURIUM
Chimera
Confucius
Daggerfly
Darkhotel
FIN13
FIN8
Gamaredon Group
HEXANE
Higaisa
Inception
Ke3chang
Kimsuky
Lazarus Group
Magic Hound
Malteiro
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
Mustard Tempest
OilRig
Patchwork
Play
RedCurl
Rocke
Sandworm Team
SideCopy
Sidewinder
Sowbug
Stealth Falcon
TA2541
TeamTNT
ToddyCat
Tropic Trooper
Turla
Volt Typhoon
Windigo
Windshift
Winter Vivern
Wizard Spider
ZIRCONIUM
admin@338
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
This is based on syslog data generated by VMware ESXi hosts. To implement this search, you must configure your ESXi systems to forward syslog output to your Splunk deployment. These logs must be ingested with the appropriate Splunk Technology Add-on for VMware ESXi Logs, which provides field extractions and CIM compatibility.
Known False Positives
Administrators may use this command when troubleshooting. Tune as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
System information discovery commands executed on ESXi host $dest$ by $user$.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest | system | 30 | No Threat Objects |
| user | user | 30 | No Threat Objects |
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | vmware:esxlog |
vmw-syslog |
| Integration | ✅ Passing | Dataset | vmware:esxlog |
vmw-syslog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1