T1673 IBM QRadar · QRadar

Detect Virtual Machine Discovery in IBM QRadar

This detection identifies adversaries attempting to enumerate virtual machines running on hypervisors or virtualization platforms. Attackers who gain access to a hypervisor host — such as VMware ESXi, Hyper-V, or KVM — commonly enumerate all running VMs as a precursor to destructive operations like ransomware deployment or service disruption. Key indicators include execution of hypervisor CLI tools (esxcli, vim-cmd, virsh, VBoxManage), PowerShell Hyper-V cmdlets (Get-VM, Get-VMHost), and unauthorized access to vSphere or vCenter management interfaces. This technique has been observed by ransomware groups including Cheerscrypt, Qilin, and Play, as well as nation-state actors like UNC3886 targeting ESXi infrastructure.

MITRE ATT&CK

Tactic
Discovery
Technique
T1673 Virtual Machine Discovery
Canonical reference
https://attack.mitre.org/techniques/T1673/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS AccountName,
    "CommandLine" AS CommandLine,
    "ParentProcessName" AS ParentProcess,
    "NewProcessName" AS ProcessName,
    CASE
        WHEN "CommandLine" ILIKE '%powershell%' AND "CommandLine" ILIKE '%-enc%' THEN 'EncodedCommand'
        WHEN "CommandLine" ILIKE '%bypass%' THEN 'ExecutionBypass'
        WHEN "CommandLine" ILIKE '%-noprofile%' THEN 'NoProfileExecution'
        ELSE 'SuspiciousProcess'
    END AS DetectionType,
    CASE
        WHEN "username" = 'SYSTEM' THEN 70
        WHEN "CommandLine" ILIKE '%bypass%' THEN 85
        ELSE 60
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Universal DSM')
    AND eventid IN (4688, 1)
    AND ("NewProcessName" ILIKE '%powershell.exe%'
        OR "NewProcessName" ILIKE '%cmd.exe%'
        OR "NewProcessName" ILIKE '%wscript.exe%'
        OR "NewProcessName" ILIKE '%cscript.exe%'
        OR "NewProcessName" ILIKE '%mshta.exe%')
    AND RiskScore >= 60
ORDER BY EventTime DESC
LAST 1 HOURS
high severity high confidence

IBM QRadar AQL detection for Virtual Machine Discovery (T1673). Queries QRadar event pipeline for indicators consistent with virtual machine discovery adversary techniques using MITRE ATT&CK-aligned event categorization.

Data Sources

IBM QRadar SIEMWindows Security EventsEndpoint Agent

Required Tables

events

False Positives & Tuning

  • VMware infrastructure administrators running routine health checks with esxcli or vim-cmd during scheduled maintenance windows
  • Backup and DR solutions (Veeam, Zerto, Commvault) enumerating VMs prior to snapshot-based backup jobs
  • Monitoring agents (vRealize Operations, Prometheus VMware exporter, Nagios XI with VMware plugins) polling VM inventory on a schedule
Download portable Sigma rule (.yml)

Other platforms for T1673

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1ESXi VM Enumeration via esxcli

    Expected signal: ESXi shell.log will record esxcli and vim-cmd executions with timestamp and user. If executed via SSH, sshd logs on ESXi will show the originating client IP. Network logs will show SSH connection from management workstation to ESXi management IP on port 22.

  2. Test 2Hyper-V VM Enumeration via PowerShell

    Expected signal: Sysmon Event ID 1 (Process Create) with Image=powershell.exe and CommandLine containing Get-VM and Get-VMHost. Windows Security Event 4688 if process creation auditing with command line is enabled. PowerShell ScriptBlock logging (Event ID 4104) will capture the full command in the Microsoft-Windows-PowerShell/Operational log.

  3. Test 3VirtualBox VM Enumeration via VBoxManage

    Expected signal: Sysmon Event ID 1 with Image=VBoxManage.exe and CommandLine containing 'list vms', 'list runningvms', and 'list hdds'. Windows prefetch file C:\Windows\Prefetch\VBOXMANAGE.EXE-*.pf will be created or updated.

  4. Test 4KVM/libvirt VM Enumeration via virsh

    Expected signal: Linux auditd syscall logs will record execve events for virsh with all arguments if audit rules target /usr/bin/virsh. Syslog will contain process execution records. On endpoints with MDE Linux agent, DeviceProcessEvents will capture virsh execution with CommandLine.

Last updated: 2026-03-20 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1673 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1059.012Hypervisor CLIT1489Service StopT1486Data Encrypted for ImpactT1611Escape to HostT1613Container and Resource DiscoveryT1033System Owner/User DiscoveryT1652Device Driver DiscoveryT1082System Information Discovery

Same Tactic: Discovery

Popular Detections