[metadata]
creation_date = "2023/04/11"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.5.0"
updated_date = "2023/04/11"

[rule]
author = ["Elastic"]
description = """
Identifies instances where the 'find' command is started on a Linux system with arguments targeting
specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*".
These paths are associated with VMware virtualization software, and their presence in the find command arguments
may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files
and configurations on the system.
"""
from = "now-9m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "ESXI Discovery via Find"
references = [
    "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
]
risk_score = 47
rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f"
severity = "medium"
tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
timestamp_override = "event.ingested"
type = "eql"
query = '''
process where host.os.type == "linux" and event.type == "start" and process.name : "find" and
process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1518"
name = "Software Discovery"
reference = "https://attack.mitre.org/techniques/T1518/"


[rule.threat.tactic]
id = "TA0007"
name = "Discovery"
reference = "https://attack.mitre.org/tactics/TA0007/"