Virtual Machine Discovery (T1673)
Tactic: Discovery · Platforms: ESXi, Linux, macOS, Windows
The interactive view maps 1 detection strategy, 1 threat group, 4 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.
Overview
An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, adversaries may enumerate a list of VMs on an ESXi hypervisor using a Hypervisor CLI such as `esxcli` or `vim-cmd` (e.g. `esxcli vm process list or vim-cmd vmsvc/getallvms`). Adversaries may also directly leverage a graphical user interface, such as VMware vCenter, in order to view virtual machines on a host.
Adversaries may use the information from Virtual Machine Discovery during discovery to shape follow-on behaviors. Subsequently discovered VMs may be leveraged for follow-on activities such as Service Stop or Data Encrypted for Impact.