| ID | Technique | Tactic |
|---|---|---|
| T1082 | System Information Discovery | Discovery |
Detection: ESXi System Information Discovery
Description
This detection identifies the use of ESXCLI system-level commands that retrieve configuration details. While used for legitimate administration, this behavior may also indicate adversary reconnaissance aimed at profiling the ESXi host's capabilities, build information, or system role in preparation for further compromise.
Search
1`esxi_syslog` Message="*system*" AND Message="*esxcli*" AND Message IN ("*get*","*list*") AND Message="*user=*" NOT Message="*filesystem*"
2| rex field=_raw "user=(?<user>\w+)\]\s+Dispatch\s+(?<command>[^\s]+)"
3| rex field=_raw "Z (?<dest>[\w\.]+)\s"
4| stats min(_time) as firstTime max(_time) as lastTime count by dest user command
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| `esxi_system_information_discovery_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| VMWare ESXi Syslog | Other | 'vmw-syslog' |
'vmware:esxlog' |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| esxi_system_information_discovery_filter | search * |
esxi_system_information_discovery_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.CM
CIS 10
APT19
APT3
APT32
APT37
APT38
APT41
APT42
Aquatic Panda
BlackByte
Blue Mockingbird
CURIUM
Contagious Interview
Daggerfly
Darkhotel
FIN13
FIN7
FIN8
Gamaredon Group
HEXANE
Higaisa
Inception
Ke3chang
Kimsuky
Lazarus Group
Leviathan
Magic Hound
Malteiro
Medusa Group
MirrorFace
Moonstone Sleet
Moses Staff
MuddyWater
Mustang Panda
Mustard Tempest
OilRig
Patchwork
Play
RedCurl
Rocke
Sandworm Team
Scattered Spider
SideCopy
Sidewinder
Sowbug
Stealth Falcon
Storm-0501
TA2541
TeamTNT
Tropic Trooper
Turla
VOID MANTICORE
Volt Typhoon
Windigo
Windshift
Winter Vivern
Wizard Spider
ZIRCONIUM
admin@338
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Intermediate Finding (Risk Event) | Yes |
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.
Implementation
This is based on syslog data generated by VMware ESXi hosts. To implement this search, you must configure your ESXi systems to forward syslog output to your Splunk deployment. These logs must be ingested with the appropriate Splunk Technology Add-on for VMware ESXi Logs, which provides field extractions and CIM compatibility.
Known False Positives
Administrators may use this command when troubleshooting. Tune as needed.
Associated Analytic Story
Finding
| Title | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| System information discovery commands executed on ESXi host $dest$ by $user$. | user | user | 50 |
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| System information discovery commands executed on ESXi host $dest$ by $user$. | dest | system | 50 |
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | vmware:esxlog |
vmw-syslog |
| Integration | ✅ Passing | Dataset | vmware:esxlog |
vmw-syslog |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 4