Devcon Execution Disabling VMware VMCI Device

title: Devcon Execution Disabling VMware VMCI Device
id: 85f520e7-6f5e-43ca-874c-222e5bf9c0de
status: experimental
description: |
    Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device.
    This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device.
    This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
references:
    - https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon
    - https://communities.vmware.com/t5/VMware-Workstation-Pro/VMCI-driver-issues/td-p/2866060
    - https://github.com/search?q=devcon+disable+VMWVMCIHOSTDEV
    - https://huntress.com/blog/esxi-vm-escape-exploit
author: Matt Anderson, Dray Agha, Anna Pham (Huntress)
date: 2026-01-02
tags:
    - attack.defense-evasion
    - attack.persistence
    - attack.privilege-escalation
    - attack.t1543.003
    - attack.t1562.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith: '\devcon.exe'
        - OriginalFileName: 'DevCon.exe'
    selection_action:
        CommandLine|contains: ' disable '
    selection_vmci_pci:
        CommandLine|contains:
            - '15AD&DEV_0740' # VMware VMCI PCI device (Vendor 0x15AD = VMware, Device 0x0740 = VMCI)
            - 'VMWVMCIHOSTDEV' # VMware VMCI root host device driver name
    condition: all of selection_*
falsepositives:
    - Legitimate VMware administration, Tools installation/uninstallation, or troubleshooting driver conflicts.
    - Automated scripts in virtualized environments for device cleanup.
level: high
regression_tests_path: regression_data/rules/windows/process_creation/proc_creation_win_devcon_disable_vmci_driver/info.yml