Skip to content

T1673 Virtual Machine Discovery

An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, adversaries may enumerate a list of VMs on an ESXi hypervisor using a Hypervisor CLI such as esxcli or vim-cmd (e.g. esxcli vm process list or vim-cmd vmsvc/getallvms).21 Adversaries may also directly leverage a graphical user interface, such as VMware vCenter, in order to view virtual machines on a host.

Adversaries may use the information from Virtual Machine Discovery during discovery to shape follow-on behaviors. Subsequently discovered VMs may be leveraged for follow-on activities such as Service Stop or Data Encrypted for Impact.2

Item Value
ID T1673
Sub-techniques
Tactics TA0007
Platforms ESXi, Linux, Windows, macOS
Version 1.0
Created 27 March 2025
Last Modified 15 April 2025

Procedure Examples

ID Name Description
S1096 Cheerscrypt Cheerscrypt has leveraged esxcli vm process list in order to gather a list of running virtual machines to terminate them.5
S1242 Qilin Qilin can detect virtual machine environments.3
G1048 UNC3886 UNC3886 has used scripts to enumerate ESXi hypervisors and their guest VMs.6
S1217 VIRTUALPITA VIRTUALPITA can target specific guest virtual machines for script execution.4

References

  1. Cj Arsley Mateo, Darrel Tristan Virtusio, Sarah Pearl Camiling, Andrei Alimboyao, Nathaniel Morales, Jacob Santos, Earl John Bareng. (2024, July 19). Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma. Retrieved March 26, 2025. 

  2. Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025. 

  3. Halcyon RISE Team. (2024, October 24). New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion. Retrieved September 26, 2025. 

  4. Alexander Marvi, Jeremy Koppen, Tufail Ahmed, and Jonathan Lepore. (2022, September 29). Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors. Retrieved March 26, 2025. 

  5. Dela Cruz, A. et al. (2022, May 25). New Linux-Based Ransomware Cheerscrypt Targeting ESXi Devices Linked to Leaked Babuk Source Code. Retrieved December 19, 2023. 

  6. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.