Vendor: VMware Product: VMware ESXi Rules Models MITRE ATT&CK® TTPs Activity Types Parsers 146 62 25 6 6 Use-Case Activity Types/Parsers MITRE ATT&CK® TTP Content Abnormal Authentication & Access account-password-change ↳vmware-esxi-str-endpoint-activity-success-vmwipmi ↳vmware-esxi-str-endpoint-activity-success-localcli ↳vmware-esxi-str-endpoint-activity-success-crxcli ↳vmware-esxi-str-endpoint-activity-success-configstore ↳vmware-esxi-str-endpoint-activity-success-providermanager ↳vmware-esxi-str-endpoint-activity-success-userworldcorrelator ↳vmware-esxi-str-endpoint-activity-vmkernel ↳vmware-esxi-str-http-close-6876 ↳vmware-esxi-str-network-session-fail-iofiltervpd ↳vmware-esxi-str-app-login-fail-invalidcredentials ↳vmware-esxi-str-app-notification-lookingfordc ↳vmware-esxi-str-app-notification-success-vmfscorrupted ↳vmware-esxi-str-app-notification-success-storagermfailreplaceslot ↳vmware-esxi-str-app-notification-success-root ↳vmware-esxi-str-app-notification-success-storagermreplace ↳vmware-esxi-kv-app-notification-success-esxupdate ↳vmware-esxi-str-app-notification-failed ↳vmware-esxi-str-app-notification-vmkwarning ↳vmware-esxi-str-app-notification-vsantraceurgent ↳vmware-esxi-str-app-notification-success-fil3invalid ↳vmware-esxi-str-app-logout-hostd ↳vmware-esxi-kv-app-logout-success-loggedout ↳vmware-esxi-str-app-logout-loggedout app-login ↳vmware-esxi-str-app-login-loggedin ↳vmware-esxi-str-app-login-success-vmauthd ↳vmware-esxi-str-endpoint-delete-removedvm remote-logon ↳vmware-esxi-str-endpoint-login-success-accepted T1021 - Remote ServicesT1078 - Valid AccountsT1078.002 - T1078.002T1078.003 - Valid Accounts: Local AccountsT1133 - External Remote Services 32 Rules14 Models Account Manipulation account-password-change ↳vmware-esxi-str-endpoint-activity-success-vmwipmi ↳vmware-esxi-str-endpoint-activity-success-localcli ↳vmware-esxi-str-endpoint-activity-success-crxcli ↳vmware-esxi-str-endpoint-activity-success-configstore ↳vmware-esxi-str-endpoint-activity-success-providermanager ↳vmware-esxi-str-endpoint-activity-success-userworldcorrelator ↳vmware-esxi-str-endpoint-activity-vmkernel ↳vmware-esxi-str-http-close-6876 ↳vmware-esxi-str-network-session-fail-iofiltervpd ↳vmware-esxi-str-app-login-fail-invalidcredentials ↳vmware-esxi-str-app-notification-lookingfordc ↳vmware-esxi-str-app-notification-success-vmfscorrupted ↳vmware-esxi-str-app-notification-success-storagermfailreplaceslot ↳vmware-esxi-str-app-notification-success-root ↳vmware-esxi-str-app-notification-success-storagermreplace ↳vmware-esxi-kv-app-notification-success-esxupdate ↳vmware-esxi-str-app-notification-failed ↳vmware-esxi-str-app-notification-vmkwarning ↳vmware-esxi-str-app-notification-vsantraceurgent ↳vmware-esxi-str-app-notification-success-fil3invalid ↳vmware-esxi-str-app-logout-hostd ↳vmware-esxi-kv-app-logout-success-loggedout ↳vmware-esxi-str-app-logout-loggedout T1098 - Account Manipulation 1 Rules Privilege Escalation remote-logon ↳vmware-esxi-str-endpoint-login-success-accepted T1078 - Valid AccountsT1555.005 - T1555.005 2 Rules1 Models Ransomware app-login ↳vmware-esxi-str-app-login-loggedin ↳vmware-esxi-str-app-login-success-vmauthd ↳vmware-esxi-str-endpoint-delete-removedvm remote-logon ↳vmware-esxi-str-endpoint-login-success-accepted T1078 - Valid Accounts 1 Rules Next Page -->> MITRE ATT&CK® Framework for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact External Remote ServicesValid AccountsExploit Public Fasing Application External Remote ServicesValid AccountsHijack Execution FlowAccount ManipulationBoot or Logon Autostart Execution Valid AccountsExploitation for Privilege EscalationHijack Execution FlowBoot or Logon Autostart Execution Hide ArtifactsObfuscated Files or Information: Indicator Removal from ToolsValid AccountsModify RegistryUse Alternate Authentication MaterialUse Alternate Authentication Material: Pass the HashUse Alternate Authentication Material: Pass the TicketObfuscated Files or InformationHijack Execution FlowValid Accounts: Local Accounts Steal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: Kerberoasting Remote System Discovery Remote ServicesUse Alternate Authentication Material Data from Information Repositories Proxy: Multi-hop ProxyProxy