.. /find
Star

A commandline utility that can be used to locate files and directories based on various criteria, such as name, type, size, modification date, etc.

Paths:

/usr/lib/vmware/busybox/bin/busybox find
/sbin/find
/bin/find

Resources:

Acknowledgements:

Jason Hill
Pham Duy Phuc
Max Kersten
Noël Keijzer
Michaël Schrijver
Germán Fernández (@1ZRR4H)
MalwareHunterTeam (@malwrhunterteam)

Detection:

Elastic: https://github.com/elastic/detection-rules/blob/main/rules/linux/defense_evasion_rename_esxi_index_file.toml

Atomic Tests:

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md#atomic-test-7---esxi---enumerate-vmdks-available-on-an-esxi-host

Find Files

Locates files with extensions commonly associated with Virtual Machines, such as .vmdk and .vmx within /vmfs/volumes folder path. This may be performed programmatically and additional switches can be used to exclude specific folders from the search.

find /vmfs/volumes/ -type f -name "*.vmdk"

Use case: Locate virtual machine disks in preparation for encryption operations or for exfiltration.

Privileges required: Administrator

Operating systems: ESXi

Additional Procedural Examples

- find "/vmfs/volumes/$volume/" -type f -name "*.vmdk" -o -name "*.vmx" -o -name "*.vmxf" -o -name "*.vmsd" -o -name "*.vmsn" -o -name "*.vswp" -o -name "*.vmss" -o -name "*.nvram" -o -name "*.vmem"
- find /vmfs/volumes/ -type f -not \( -path /sys -prune \) -not \( -path /proc -prune \) 
 -not \( -path /run -prune \) -not \( -path /var/log -prune \) -name "*.vmdk*" -o -name "*.ovf*" -o -name "*.ova*" -o -name "*.vmem*" -o -name "*.vswp*" -o -name "*.vmsd*" -o -name "*.vmsn*" -o -name "*.vib*" -o -name "*.vbk*" -o -name "*.vbm*"

ATT&CK® technique: T1083

Remove Evidence

Find and delete all files ending with .log extension
```
/bin/find / -name *.log -exec /bin/rm -rf {} \;
```
Use case
An adversary deletes all files ending with the .log file extension to clear evidence of their offensive operations.

Privileges required
User

Operating systems
ESXi
Additional Procedural Examples
- /bin/find / -name *.log -exec /bin/rm -rf {} \;
ATT&CK® technique
T1070.004

Find and Replace

Find and replace the ESXi web console homepage.
```
find /usr/lib/vmware -type f -name index.html
```
Use case
An adversary finds and replaces the ESXi web console homepage with a custom version. This often contains ransomware notification message.

Privileges required
User

Operating systems
ESXi
Additional Procedural Examples
- - find /usr/lib/vmware -type f -name index.html mv "$path_to_ui/index.html" "$path_to_ui/index1.html cp "$CLEAN_DIR/index.html" "$path_to_ui/index.html"
ATT&CK® technique
T1491.001

Tags
E-Crime: RansomHouse
A RaaS group that uses MrAgent tool to target VMWARE ESXi hosts
E-Crime: Nevada
Nevada Ransomware operates via an an affiliate program and has been reported to have carried out a campaign targeting any ESXi machine that is exposed to the internet

.. /find Star

Find Files

Remove Evidence

Find and Replace

.. /find
Star