Skip to content

Latest commit

 

History

History
21 lines (19 loc) · 15.1 KB

ds_vmware_vmware_esxi.md

File metadata and controls

21 lines (19 loc) · 15.1 KB
Raw

Vendor: VMware

Product: VMware ESXi

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
146 62 25 6 6
Use-Case Activity Types/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access account-password-change
vmware-esxi-str-endpoint-activity-success-vmwipmi
vmware-esxi-str-endpoint-activity-success-localcli
vmware-esxi-str-endpoint-activity-success-crxcli
vmware-esxi-str-endpoint-activity-success-configstore
vmware-esxi-str-endpoint-activity-success-providermanager
vmware-esxi-str-endpoint-activity-success-userworldcorrelator
vmware-esxi-str-endpoint-activity-vmkernel
vmware-esxi-str-http-close-6876
vmware-esxi-str-network-session-fail-iofiltervpd
vmware-esxi-str-app-login-fail-invalidcredentials
vmware-esxi-str-app-notification-lookingfordc
vmware-esxi-str-app-notification-success-vmfscorrupted
vmware-esxi-str-app-notification-success-storagermfailreplaceslot
vmware-esxi-str-app-notification-success-root
vmware-esxi-str-app-notification-success-storagermreplace
vmware-esxi-kv-app-notification-success-esxupdate
vmware-esxi-str-app-notification-failed
vmware-esxi-str-app-notification-vmkwarning
vmware-esxi-str-app-notification-vsantraceurgent
vmware-esxi-str-app-notification-success-fil3invalid
vmware-esxi-str-app-logout-hostd
vmware-esxi-kv-app-logout-success-loggedout
vmware-esxi-str-app-logout-loggedout

app-login
vmware-esxi-str-app-login-loggedin
vmware-esxi-str-app-login-success-vmauthd
vmware-esxi-str-endpoint-delete-removedvm

remote-logon
vmware-esxi-str-endpoint-login-success-accepted
 T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
  • 32 Rules
  • 14 Models
Account Manipulation account-password-change
vmware-esxi-str-endpoint-activity-success-vmwipmi
vmware-esxi-str-endpoint-activity-success-localcli
vmware-esxi-str-endpoint-activity-success-crxcli
vmware-esxi-str-endpoint-activity-success-configstore
vmware-esxi-str-endpoint-activity-success-providermanager
vmware-esxi-str-endpoint-activity-success-userworldcorrelator
vmware-esxi-str-endpoint-activity-vmkernel
vmware-esxi-str-http-close-6876
vmware-esxi-str-network-session-fail-iofiltervpd
vmware-esxi-str-app-login-fail-invalidcredentials
vmware-esxi-str-app-notification-lookingfordc
vmware-esxi-str-app-notification-success-vmfscorrupted
vmware-esxi-str-app-notification-success-storagermfailreplaceslot
vmware-esxi-str-app-notification-success-root
vmware-esxi-str-app-notification-success-storagermreplace
vmware-esxi-kv-app-notification-success-esxupdate
vmware-esxi-str-app-notification-failed
vmware-esxi-str-app-notification-vmkwarning
vmware-esxi-str-app-notification-vsantraceurgent
vmware-esxi-str-app-notification-success-fil3invalid
vmware-esxi-str-app-logout-hostd
vmware-esxi-kv-app-logout-success-loggedout
vmware-esxi-str-app-logout-loggedout
 T1098 - Account Manipulation
  • 1 Rules
Privilege Escalation remote-logon
vmware-esxi-str-endpoint-login-success-accepted
 T1078 - Valid Accounts
T1555.005 - T1555.005
  • 2 Rules
  • 1 Models
Ransomware app-login
vmware-esxi-str-app-login-loggedin
vmware-esxi-str-app-login-success-vmauthd
vmware-esxi-str-endpoint-delete-removedvm

remote-logon
vmware-esxi-str-endpoint-login-success-accepted
 T1078 - Valid Accounts
  • 1 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

 External Remote Services

Valid Accounts

Hijack Execution Flow

Account Manipulation

Boot or Logon Autostart Execution

 Valid Accounts

Exploitation for Privilege Escalation

Hijack Execution Flow

Boot or Logon Autostart Execution

 Hide Artifacts

Obfuscated Files or Information: Indicator Removal from Tools

Valid Accounts

Modify Registry

Use Alternate Authentication Material

Use Alternate Authentication Material: Pass the Hash

Use Alternate Authentication Material: Pass the Ticket

Obfuscated Files or Information

Hijack Execution Flow

Valid Accounts: Local Accounts

 Steal or Forge Kerberos Tickets

Credentials from Password Stores

Steal or Forge Kerberos Tickets: Kerberoasting

 Remote System Discovery

 Remote Services

Use Alternate Authentication Material

 Data from Information Repositories

 Proxy: Multi-hop Proxy

Proxy