Detect Virtual Machine Discovery in Splunk
This detection identifies adversaries attempting to enumerate virtual machines running on hypervisors or virtualization platforms. Attackers who gain access to a hypervisor host — such as VMware ESXi, Hyper-V, or KVM — commonly enumerate all running VMs as a precursor to destructive operations like ransomware deployment or service disruption. Key indicators include execution of hypervisor CLI tools (esxcli, vim-cmd, virsh, VBoxManage), PowerShell Hyper-V cmdlets (Get-VM, Get-VMHost), and unauthorized access to vSphere or vCenter management interfaces. This technique has been observed by ransomware groups including Cheerscrypt, Qilin, and Play, as well as nation-state actors like UNC3886 targeting ESXi infrastructure.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1673 Virtual Machine Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1673/
SPL Detection Query
index=* (sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)
OR (sourcetype="WinEventLog:Security" EventCode=4688)
| eval CommandLine=coalesce(CommandLine, Process_Command_Line)
| eval Image=coalesce(Image, New_Process_Name)
| where (
(match(CommandLine, "(?i)(esxcli|vim-cmd)") AND match(CommandLine, "(?i)(vm\s+process\s+list|vmsvc/getallvms|vmsvc/power\.getstate|vmsvc/get)"))
OR (match(Image, "(?i)(powershell\.exe|pwsh\.exe)") AND match(CommandLine, "(?i)(Get-VM\b|Get-VMHost\b|Get-VHD\b|Get-VMSwitch\b|Get-VMNetworkAdapter\b|Get-VMSnapshot\b)"))
OR (match(Image, "(?i)VBoxManage\.exe") AND match(CommandLine, "(?i)(list\s+(vms|runningvms|hdds|snapshots))"))
OR (match(Image, "(?i)vmrun\.exe") AND match(CommandLine, "(?i)list"))
OR (match(Image, "(?i)virsh") AND match(CommandLine, "(?i)(\blist\b|dominfo|nodeinfo|domstate)"))
)
| eval CommandType=case(
match(CommandLine, "(?i)(esxcli|vim-cmd)"), "ESXi-CLI",
match(Image, "(?i)(powershell|pwsh)") AND match(CommandLine, "(?i)Get-VM"), "HyperV-PowerShell",
match(Image, "(?i)VBoxManage"), "VirtualBox-CLI",
match(Image, "(?i)vmrun"), "VMware-Workstation",
match(Image, "(?i)virsh"), "KVM-virsh",
true(), "Other"
)
| eval RiskScore=case(
CommandType="ESXi-CLI", 90,
CommandType="HyperV-PowerShell", 70,
CommandType="VirtualBox-CLI", 60,
CommandType="KVM-virsh", 65,
true(), 50
)
| stats count as ExecutionCount, values(CommandLine) as CommandLines, values(CommandType) as CommandTypes, max(RiskScore) as MaxRiskScore by host, User, Image
| where ExecutionCount >= 1
| sort - MaxRiskScore
| table _time, host, User, Image, CommandLines, CommandTypes, MaxRiskScore, ExecutionCountDetects process creation events (Sysmon EventCode 1 or Security EventCode 4688) where the command line matches patterns associated with hypervisor VM enumeration across VMware ESXi, Hyper-V, VirtualBox, VMware Workstation, and KVM/libvirt. Assigns a risk score by command type and aggregates execution counts per host and user to surface bulk enumeration behavior.
Data Sources
Required Sourcetypes
False Positives & Tuning
- VMware vSphere administrators executing esxcli or vim-cmd commands during scheduled maintenance or incident response
- Backup orchestration software (Veeam Backup & Replication, Commvault) enumerating VM inventory for backup job scheduling
- Infrastructure monitoring tools (SolarWinds, PRTG, vRealize) polling Hyper-V or ESXi for VM health metrics on a scheduled basis
- Ansible playbooks or PowerCLI scripts executed by automation service accounts for VM provisioning or configuration management
- Security vulnerability scanners performing hypervisor asset discovery during authorized scanning windows
Other platforms for T1673
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1ESXi VM Enumeration via esxcli
Expected signal: ESXi shell.log will record esxcli and vim-cmd executions with timestamp and user. If executed via SSH, sshd logs on ESXi will show the originating client IP. Network logs will show SSH connection from management workstation to ESXi management IP on port 22.
- Test 2Hyper-V VM Enumeration via PowerShell
Expected signal: Sysmon Event ID 1 (Process Create) with Image=powershell.exe and CommandLine containing Get-VM and Get-VMHost. Windows Security Event 4688 if process creation auditing with command line is enabled. PowerShell ScriptBlock logging (Event ID 4104) will capture the full command in the Microsoft-Windows-PowerShell/Operational log.
- Test 3VirtualBox VM Enumeration via VBoxManage
Expected signal: Sysmon Event ID 1 with Image=VBoxManage.exe and CommandLine containing 'list vms', 'list runningvms', and 'list hdds'. Windows prefetch file C:\Windows\Prefetch\VBOXMANAGE.EXE-*.pf will be created or updated.
- Test 4KVM/libvirt VM Enumeration via virsh
Expected signal: Linux auditd syscall logs will record execve events for virsh with all arguments if audit rules target /usr/bin/virsh. Syslog will contain process execution records. On endpoints with MDE Linux agent, DeviceProcessEvents will capture virsh execution with CommandLine.
References (6)
- https://attack.mitre.org/techniques/T1673/
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-esxi-devices.html
- https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass
- https://cloud.google.com/blog/topics/threat-intelligence/esxi-vibs-malware
- https://www.halcyon.ai/blog/qilin-ransomware-targets-esxi-hypervisors
Unlock Pro Content
Get the full detection package for T1673 including response playbook, investigation guide, and atomic red team tests.