EXPLORE
Sign In
← Back to Explore
T1673

Virtual Machine Discovery

An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, adversaries may enumerate a list of VMs on an ESXi hypervisor using a [Hypervisor CLI](https://attack.mitre.org/techniques/T1059/012) such as `esxcli` or `vim-cmd` (e.g. `esxcli vm process list or vim-cmd vmsvc/getallvms`).(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: TrendMicro Play) Adversaries may also directly leverage a graphical user interface...

ESXiLinuxmacOSWindows
4
Detections
2
Sources
1
Threat Actors

BY SOURCE

2elastic2splunk_escu

PROCEDURES (4)

Service1 detections

Auto-extracted: 1 detections for service

General Monitoring1 detections

Auto-extracted: 1 detections for general monitoring

Service1 detections

Auto-extracted: 1 detections for service

Azure1 detections

Auto-extracted: 1 detections for azure

THREAT ACTORS (1)

UNC3886

DETECTIONS (4)

Entra ID Sign-in BloodHound Suite User-Agent Detected
elasticmedium
Entra ID Sign-in TeamFiltration User-Agent Detected
elasticmedium
ESXi Bulk VM Termination
splunk_escu
ESXi VM Discovery
splunk_escu