Skip to content

Hide Navigation Hide TOC

ESXi Storage Information Discovery Via ESXCLI (f41dada5-3f56-4232-8503-3fb7f9cf2d60)

Detects execution of the "esxcli" command with the "storage" flag in order to retrieve information about the storage status and other related information. Seen used by malware such as DarkSide and LockBit.

Cluster A Galaxy A Cluster B Galaxy B Level
ESXi Storage Information Discovery Via ESXCLI (f41dada5-3f56-4232-8503-3fb7f9cf2d60) Sigma-Rules System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
ESXi Storage Information Discovery Via ESXCLI (f41dada5-3f56-4232-8503-3fb7f9cf2d60) Sigma-Rules System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 1