Detect Virtual Machine Discovery in Microsoft Sentinel
This detection identifies adversaries attempting to enumerate virtual machines running on hypervisors or virtualization platforms. Attackers who gain access to a hypervisor host — such as VMware ESXi, Hyper-V, or KVM — commonly enumerate all running VMs as a precursor to destructive operations like ransomware deployment or service disruption. Key indicators include execution of hypervisor CLI tools (esxcli, vim-cmd, virsh, VBoxManage), PowerShell Hyper-V cmdlets (Get-VM, Get-VMHost), and unauthorized access to vSphere or vCenter management interfaces. This technique has been observed by ransomware groups including Cheerscrypt, Qilin, and Play, as well as nation-state actors like UNC3886 targeting ESXi infrastructure.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1673 Virtual Machine Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1673/
KQL Detection Query
let VMDiscoveryPatterns = dynamic(["vm process list", "vmsvc/getallvms", "vmsvc/power.getstate", "vmsvc/getallvms", "esxcli vm", "esxcli storage", "esxcli network vm"]);
let HyperVCmdlets = dynamic(["Get-VM", "Get-VHD", "Get-VMHost", "Get-VMSwitch", "Get-VMNetworkAdapter", "Get-VMSnapshot", "Get-VMReplication"]);
let VBoxCommands = dynamic(["list vms", "list runningvms", "list hdds"]);
DeviceProcessEvents
| where Timestamp > ago(1d)
| where (
// VMware ESXi enumeration via esxcli or vim-cmd
(ProcessCommandLine has_any ("esxcli", "vim-cmd") and ProcessCommandLine has_any (VMDiscoveryPatterns))
// Hyper-V enumeration via PowerShell
or (FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (HyperVCmdlets))
// VirtualBox management enumeration
or (FileName =~ "VBoxManage.exe" and ProcessCommandLine has_any (VBoxCommands))
// VMware Workstation/Fusion vmrun list
or (FileName =~ "vmrun.exe" and ProcessCommandLine has "list")
// virsh enumeration on Windows Subsystem or cross-platform tools
or (FileName =~ "virsh.exe" and ProcessCommandLine has_any ("list", "dominfo", "nodeinfo"))
// prlctl (Parallels) enumeration
or (FileName =~ "prlctl" and ProcessCommandLine has "list")
)
| extend CommandType = case(
ProcessCommandLine has_any ("esxcli", "vim-cmd"), "ESXi-CLI",
FileName in~ ("powershell.exe", "pwsh.exe") and ProcessCommandLine has_any (HyperVCmdlets), "HyperV-PowerShell",
FileName =~ "VBoxManage.exe", "VirtualBox-CLI",
FileName =~ "vmrun.exe", "VMware-Workstation",
FileName =~ "virsh.exe", "KVM-virsh",
"Other"
)
| project
Timestamp,
DeviceName,
AccountName,
AccountDomain,
FileName,
ProcessCommandLine,
InitiatingProcessFileName,
InitiatingProcessCommandLine,
InitiatingProcessAccountName,
CommandType,
FolderPath,
ProcessId
| order by Timestamp descDetects execution of hypervisor management CLI tools and PowerShell cmdlets used to enumerate virtual machines across VMware ESXi (esxcli, vim-cmd), Microsoft Hyper-V (Get-VM and related cmdlets), VirtualBox (VBoxManage list), VMware Workstation (vmrun list), and KVM/libvirt (virsh list). Flags commands that specifically enumerate running VMs, VM configurations, or VM host resources — common precursors to ransomware targeting of virtualized environments.
Data Sources
Required Tables
False Positives & Tuning
- VMware infrastructure administrators running routine health checks with esxcli or vim-cmd during scheduled maintenance windows
- Backup and DR solutions (Veeam, Zerto, Commvault) enumerating VMs prior to snapshot-based backup jobs
- Monitoring agents (vRealize Operations, Prometheus VMware exporter, Nagios XI with VMware plugins) polling VM inventory on a schedule
- Ansible, Terraform, or PowerCLI automation scripts performing VM lifecycle management or infrastructure-as-code operations
- IT asset discovery tools (ServiceNow Discovery, Qualys, Rapid7) enumerating virtualized infrastructure during scheduled scans
Other platforms for T1673
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ESXi VM Enumeration via esxcli
Expected signal: ESXi shell.log will record esxcli and vim-cmd executions with timestamp and user. If executed via SSH, sshd logs on ESXi will show the originating client IP. Network logs will show SSH connection from management workstation to ESXi management IP on port 22.
- Test 2Hyper-V VM Enumeration via PowerShell
Expected signal: Sysmon Event ID 1 (Process Create) with Image=powershell.exe and CommandLine containing Get-VM and Get-VMHost. Windows Security Event 4688 if process creation auditing with command line is enabled. PowerShell ScriptBlock logging (Event ID 4104) will capture the full command in the Microsoft-Windows-PowerShell/Operational log.
- Test 3VirtualBox VM Enumeration via VBoxManage
Expected signal: Sysmon Event ID 1 with Image=VBoxManage.exe and CommandLine containing 'list vms', 'list runningvms', and 'list hdds'. Windows prefetch file C:\Windows\Prefetch\VBOXMANAGE.EXE-*.pf will be created or updated.
- Test 4KVM/libvirt VM Enumeration via virsh
Expected signal: Linux auditd syscall logs will record execve events for virsh with all arguments if audit rules target /usr/bin/virsh. Syslog will contain process execution records. On endpoints with MDE Linux agent, DeviceProcessEvents will capture virsh execution with CommandLine.
References (6)
- https://attack.mitre.org/techniques/T1673/
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices.html
- https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass
- https://cloud.google.com/blog/topics/threat-intelligence/esxi-vibs-malware
- https://www.halcyon.ai/blog/qilin-ransomware-targets-esxi-hypervisors
Unlock Pro Content
Get the full detection package for T1673 including response playbook, investigation guide, and atomic red team tests.