Skip to content

Hide Navigation Hide TOC

ESXi Storage Information Discovery Via ESXCLI (f41dada5-3f56-4232-8503-3fb7f9cf2d60)

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

Cluster A Galaxy A Cluster B Galaxy B Level
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern ESXi Storage Information Discovery Via ESXCLI (f41dada5-3f56-4232-8503-3fb7f9cf2d60) Sigma-Rules 1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern ESXi Storage Information Discovery Via ESXCLI (f41dada5-3f56-4232-8503-3fb7f9cf2d60) Sigma-Rules 1