Virtual Machine Discovery

An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, adversaries may enumerate a list of VMs on an ESXi hypervisor using a Hypervisor CLI such as esxcli or vim-cmd (e.g. esxcli vm process list or vim-cmd vmsvc/getallvms).^[1]^[2] Adversaries may also directly leverage a graphical user interface, such as VMware vCenter, in order to view virtual machines on a host.

Adversaries may use the information from Virtual Machine Discovery during discovery to shape follow-on behaviors. Subsequently discovered VMs may be leveraged for follow-on activities such as Service Stop or Data Encrypted for Impact.^[1]

ID: T1673

Sub-techniques: No sub-techniques

ⓘ

Tactic: Discovery

ⓘ

Platforms: ESXi, Linux, Windows, macOS

Contributors: Janantha Marasinghe

Version: 1.0

Created: 27 March 2025

Last Modified: 15 April 2025

Version Permalink

Live Version

Procedure Examples

ID	Name	Description
S1096	Cheerscrypt	Cheerscrypt has leveraged `esxcli vm process list` in order to gather a list of running virtual machines to terminate them.^[3]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects

ID	Data Source	Data Component	Detects
DS0017	Command	Command Execution	Monitor command-line arguments that may involve listing virtual machines. On ESXi hosts, monitor for commands such as `esxcli vm process list` or `vim-cmd vmsvc/getallvms`. Analytic 1 - Command Execution (ESXi) `index=esxi_logs sourcetype=shell_log(command="esxcli vm process list" OR command="vim-cmd vmsvc/getallvms")\| stats count by host, user, command, _time\| where user != "expected_admin_user" OR like(command, "%unexpected_path%")\| sort -_time` Analytic 1 - Command Execution (Linux/macOS) `sourcetype=auditd OR sourcetype=sysmon(process_name IN ("virsh", "VBoxManage", "qemu-img") AND command="list" OR command="info")\| stats count by host, user, command, parent_process_name, _time\| where user!="root" AND NOT match(command, "known_admin_script")\| sort -_time` Analytic 1 - Command Execution (Windows - Hyper-V or VMWare Workstation) `sourcetype=WinEventLog:Sysmon EventCode=1(Image="powershell.exe" OR Image="vmrun.exe" OR Image="VBoxManage.exe") (CommandLine="Get-VM" OR CommandLine="list vms*")\| stats count by host, user, Image, CommandLine, ParentImage, _time\| where user!="expected_admin" AND NOT match(CommandLine, "routine_script.ps1")\| sort -_time`

DS0017

Command

Command Execution

Monitor command-line arguments that may involve listing virtual machines. On ESXi hosts, monitor for commands such as esxcli vm process list or vim-cmd vmsvc/getallvms.

Analytic 1 - Command Execution (ESXi)

index=esxi_logs sourcetype=shell_log(command="esxcli vm process list" OR command="vim-cmd vmsvc/getallvms")| stats count by host, user, command, _time| where user != "expected_admin_user" OR like(command, "%unexpected_path%")| sort -_time

Analytic 1 - Command Execution (Linux/macOS)

sourcetype=auditd OR sourcetype=sysmon(process_name IN ("virsh", "VBoxManage", "qemu-img") AND command="list" OR command="info")| stats count by host, user, command, parent_process_name, _time| where user!="root" AND NOT match(command, "known_admin_script")| sort -_time

Analytic 1 - Command Execution (Windows - Hyper-V or VMWare Workstation)

sourcetype=WinEventLog:Sysmon EventCode=1(Image="powershell.exe" OR Image="vmrun.exe" OR Image="VBoxManage.exe") (CommandLine="Get-VM" OR CommandLine="list vms*")| stats count by host, user, Image, CommandLine, ParentImage, _time| where user!="expected_admin" AND NOT match(CommandLine, "routine_script.ps1")| sort -_time

References

Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023.