IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
ESXI Discovery via Find
editESXI Discovery via Find
editIdentifies instances where the find command is started on a Linux system with arguments targeting specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization software, and their presence in the find command arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files and configurations on the system.
Rule type: eql
Rule indices:
- logs-endpoint.events.*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Linux
- Use Case: Threat Detection
- Tactic: Discovery
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
editprocess where host.os.type == "linux" and event.type == "start" and process.name : "find" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Discovery
- ID: TA0007
- Reference URL: https://attack.mitre.org/tactics/TA0007/
-
Technique:
- Name: Software Discovery
- ID: T1518
- Reference URL: https://attack.mitre.org/techniques/T1518/