.. /esxcli

Star

esxcli is a command-line interface (CLI) tool (which is a python script) used to manage VMware ESXi hosts. Using esxcli, administrators can perform various tasks related to ESXi host management, including network configuration, storage management, and VM operations.

• https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
• https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
• https://www.fortinet.com/blog/threat-research/royal-ransomware-targets-linux-esxi-servers
• https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware
• https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire
• https://cloudsek.com/blog/analysis-of-files-used-in-esxiargs-ransomware-attack-against-vmware-esxi-servers
• https://gist.githubusercontent.com/manualbashing/4955642aa81d74c3c5221a698abfe381/raw/2e7ad84449c875821b31455ae1f4193bfde8b05f/freqStunnedVMs.sh
• https://www.trendmicro.com/vinfo/au/threat-encyclopedia/malware/ransom.linux.blacksuit.theodbc
• https://vdc-repo.vmware.com/vmwb-repository/dcr-public/24be7af7-d9cd-48d9-bab8-8c91614be19d/0ca33108-8017-4b40-86b9-f066456894ea/doc/GUID-53C7D50E-1C8D-486D-89FF-E69B0A77E406.html
• https://www.bleepingcomputer.com/news/security/linux-version-of-qilin-ransomware-focuses-on-vmware-esxi/
• https://www.trellix.com/en-au/blogs/research/ransomhouse-am-see/
• https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
• https://x.com/malwrhunterteam/status/1704974867542532286/photo/3
• https://cloud.google.com/blog/topics/threat-intelligence/vmware-esxi-zero-day-bypass
• https://cloud.google.com/blog/topics/threat-intelligence/esxi-hypervisors-malware-persistence
• https://blogs.vmware.com/vsphere/2011/09/whats-in-a-vib.html
• https://www.hybrid-analysis.com/sample/be5d2e94c2498ec052fb025e3348085e418c856dd43080501acfe2067ba54c41/6553b8f44c06e50d5408581f
• https://www.forescout.com/resources/rise-in-linux-ransomware/
• https://www.reversinglabs.com/blog/gwisinlocker-ransomware-targets-south-korean-industrial-and-pharmaceutical-companies

Lists VMs

1. Provides a CSV output of running Virtual Machines with its corresponding WorldID and DisplayName.

   esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list

   Use case

   Provides a list of running Virtual Machines with their WorldID and Displayname in CSV format

   Privileges required

   Administrator

   Operating systems

   ESXi

   Additional Procedural Examples

   • esxcli --formatter=csv vm process list

   • /bin/sh -c esxcli vm process list > list

   ATT&CK® technique

   T1082

   
   

Terminate Running VM

1. Terminates a Virtual Machine using its World ID.

   esxcli vm process kill --type=force --world-id=796791

   Use case

   Force terminates a VM using the WorldID when Soft or Hard terminates options fail. Soft termination allows the guest OS to gracefully shut down.This is similar to kill-SIGTERM. Gard mode immediately terminates a Virtual Machine using its World ID. It kills the VMX process and is similar to a kill -9 command

   Privileges required

   Administrator

   Operating systems

   ESXi

   Additional Procedural Examples

   • esxcli vm process kill –type=hard –world-id=<ID>

   • esxcli vm process kill -w <WID> -t soft

   • esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | awk -F "\"*,\"*" '{system("esxcli vm process kill --type=force --world-id=" $1)}'

   ATT&CK® technique

   T1489

   
   

System Information

1. Display the product name, version and build information.

   esxcli system version get

   Use case

   An adversary may use this to obtain the exact build version information of the ESXi host to facilitate subsequent actions.

   Privileges required

   Administrator

   Operating systems

   ESXi

   ATT&CK® technique

   T1082

   
   

2. Shows FQDN of the ESXi host.

   esxcli system hostname get

   Use case

   FQDN of the host can be used as part of infrastructure information gathering operations.

   Privileges required

   Administrator

   Operating systems

   ESXi

   ATT&CK® technique

   T1082

   
   

Account Enumeration

1. Displays a list of local accounts in the ESXi host.

   esxcli system account list

   Use case

   An adversary may use the list of local accounts and use them for subsequent opeations. CSV output option was selected in certain operations.

   Privileges required

   Administrator

   Operating systems

   ESXi

   Additional Procedural Examples

   • esxcli --formatter=csv system account list

   ATT&CK® technique

   T1087.001

   
   

Discover storage

1. Shows all the volumes available on the ESXi host.

   esxcli storage filesystem list

   Use case

   An adversary may use this command to gain visibility of different volumes attached to the ESXi host. An adversary may use this command to gain visibility of different volumes attached to the ESXi host within /vmfs/volumes folder. This location usually holds data related to VMs.

   Privileges required

   Administrator

   Operating systems

   ESXi

   Additional Procedural Examples

   • esxcli storage filesystem list | grep "/vmfs/volumes/" | awk -F'  ' '{print $2}'

   ATT&CK® technique

   T1082

   
   

2. List the status of VMDKs in vSAN.

   esxcli vsan debug vmdk list

   Use case

   An adversary carries out enumeration of storage.

   Privileges required

   Administrator

   Operating systems

   ESXi

3. List the UUID of the vSAN objects.

   esxcli --format-param=fields=="Type,ObjectUUID,Configuration” vsan debug object list

   Use case

   An adversary carries out enumeration of storage objects.

   Privileges required

   Administrator

   Operating systems

   ESXi

4. List the Devfs Path of the devices currently registered with the storage.

   esxcli --formatter=csv --format-param=fields=="Device,DevfsPath” storage core device list

   Use case

   An adversary carries out enumeration of devices connected to storage.

   Privileges required

   Administrator

   Operating systems

   ESXi

Change Display Information

1. Changes the ESXi Welcome Message on the Direct Console User Interface (DCUI).

   /bin/sh -c "esxcli system welcomemsg set -m=""

   Use case

   An adversary changes the welcome message on the DCUI with ransomware notification.

   Privileges required

   Administrator

   Operating systems

   ESXi

   ATT&CK® technique

   T1491.001

   
   

Disable Service

1. Disables the ESXi firewall.

   esxcli network firewall set --enabled false

   Use case

   An adversary changes the ESXi host based firewall so it will cause minimum interference with their operations.

   Privileges required

   Administrator

   Operating systems

   ESXi

   ATT&CK® technique

   T1562.004

   
   

Discover Network Info

1. Displays network interface details.

   esxcli --formatter=csv network ip interface ipv4 get

   Use case

   An adversary may obtain information regarding network interfaces available in the ESXi host.

   Privileges required

   Administrator

   Operating systems

   ESXi

   Additional Procedural Examples

   • esxcli --formatter=csv network ip interface ipv4 get

Software Operation

1. Install a VIB without checking the signature.

   esxcli software vib install -f --no-sig-check

   Use case

   To bypass additional validation when installing malicious VIBs, an adversary uses the force and no signature checking switches. Malicious VIBs are used to maintain persistent and command execution capability with an ESXi host and its guest VMs.

   Privileges required

   Administrator

   Operating systems

   ESXi

2. Changes the VIB acceptance level to CommunitySupported.

   esxcli software acceptance set --level CommunitySupported

   Use case

   ESXi by default will require it to be signed and by default set to PartnerSupported level. An adversary may change the VIB acceptance level to CommunitySupported level prior to running VIB installation.

   Privileges required

   Administrator

   Operating systems

   ESXi

   Tags

   E-Crime: PINCHY SPIDER

   Operates REvix ransomware

   E-Crime: REvix

   ELF ransomware binary targeting ESXi

   E-Crime: Rhysida

   Ransomware operato that has similarities to Vice Society

   E-Crime: VIKING SPIDER

   Developers of Ragnar Locker ransomware

   E-Crime: Ragnar Locker

   Engages in multi-extortion and is developed by Viking Spider

   E-Crime: RansomHouse

   A RaaS group that uses MrAgent tool to target VMWARE ESXi hosts

   E-Crime: Darkside

   A RaaS group uses double extortion of its victims. Most notable incident was the Colonial Pipeline Company ransomware incident

   E-Crime: Qilin

   Aka Agenda and is written in Golang. Uses double extortion technique and target large enterprises and high-value targets

   E-Crime: Blacksuit

   Aka Royal targets mostly health, education and critical infrastructure

   E-Crime: ESXiArgs

   ESXiArgs was involved with mass exploitation of CVE-2021-21974 vulnerability in the past

   E-Crime: Nevada

   Nevada Ransomware operates via an an affiliate program and has been reported to have carried out a campaign targeting any ESXi machine that is exposed to the internet

   E-Crime: Blackcat

   BlackCat (aka ALPHV,Noberus) ransomware is written in rust. Reported to have been created by a group of Russian-speaking cybercriminals

   E-Crime: Royal Ransomware

   This function was tagged with "E-Crime: Royal Ransomware".

   E-Crime: Lockbit

   A RaaS who utilises initial access brokers to gain access to victims. Reported to targets critical infrastructure sectors, financial services, transportation, food and agriculture, education, energy, government and emergency services

   E-Crime: Revil

   Aka Sodinokibi is a Russian-based cybercriminal group that operates a RaaS model

   APT: UNC3886

   A suspected Chinese threat actor who has used sophisticated and novel techniques during ESXi intrusions