title: Virtual Machine Discovery (T1673)
id: df00tech-t1673
status: experimental
description: "This detection identifies adversaries attempting to enumerate virtual machines running on hypervisors or virtualization platforms. Attackers who gain access to a hypervisor host — such as VMware ESXi, Hyper-V, or KVM — commonly enumerate all running VMs as a precursor to destructive operations like ransomware deployment or service disruption. Key indicators include execution of hypervisor CLI tools (esxcli, vim-cmd, virsh, VBoxManage), PowerShell Hyper-V cmdlets (Get-VM, Get-VMHost), and unauthorized access to vSphere or vCenter management interfaces. This technique has been observed by ransomware groups including Cheerscrypt, Qilin, and Play, as well as nation-state actors like UNC3886 targeting ESXi infrastructure."
references:
  - https://attack.mitre.org/techniques/T1673/
  - https://df00tech.com/detections/T1673
author: df00tech
date: 2026/03/20
tags:
  - attack.t1673
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - VMware infrastructure administrators running routine health checks with esxcli or vim-cmd during scheduled maintenance windows
  - "Backup and DR solutions (Veeam, Zerto, Commvault) enumerating VMs prior to snapshot-based backup jobs"
  - "Monitoring agents (vRealize Operations, Prometheus VMware exporter, Nagios XI with VMware plugins) polling VM inventory on a schedule"
  - "Ansible, Terraform, or PowerCLI automation scripts performing VM lifecycle management or infrastructure-as-code operations"
  - "IT asset discovery tools (ServiceNow Discovery, Qualys, Rapid7) enumerating virtualized infrastructure during scheduled scans"
level: high