| Compromised Credentials | app-login
↳vmware-esxi-str-app-login-loggedin
↳vmware-esxi-str-app-login-success-vmauthd
↳vmware-esxi-str-endpoint-delete-removedvm
database-login
↳vmware-esxi-str-file-read-fail-storagermopenslotfile
↳vmware-esxi-str-file-read-fail-storagermfail
↳vmware-esxi-str-file-read-fail-storagermopenread
↳vmware-esxi-str-file-read-fail-storagermerroropenfile
↳vmware-esxi-str-file-read-success-storagermopen
↳vmware-esxi-str-app-notification-success-sfcbd
↳vmware-esxi-str-app-notification-success-nicmgmtd
↳vmware-esxi-str-http-session-fail-iofiltervpd
remote-logon
↳vmware-esxi-str-endpoint-login-success-accepted
security-alert
↳vmware-esxi-str-app-authentication-success-pushingto
| T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
T1213 - Data from Information Repositories
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
| |
| Data Access | app-login
↳vmware-esxi-str-app-login-loggedin
↳vmware-esxi-str-app-login-success-vmauthd
↳vmware-esxi-str-endpoint-delete-removedvm
database-login
↳vmware-esxi-str-file-read-fail-storagermopenslotfile
↳vmware-esxi-str-file-read-fail-storagermfail
↳vmware-esxi-str-file-read-fail-storagermopenread
↳vmware-esxi-str-file-read-fail-storagermerroropenfile
↳vmware-esxi-str-file-read-success-storagermopen
↳vmware-esxi-str-app-notification-success-sfcbd
↳vmware-esxi-str-app-notification-success-nicmgmtd
↳vmware-esxi-str-http-session-fail-iofiltervpd
| T1078 - Valid Accounts
T1213 - Data from Information Repositories
| |
| Evasion | registry-write
↳vmware-esxi-str-app-activity-hostd-1
↳vmware-esxi-str-app-activity-info
↳vmware-esxi-str-app-activity-vpxa
↳vmware-esxi-str-app-activity-vpxd
↳vmware-esxi-mix-app-activity-sub
↳vmware-esxi-str-app-activity-vsand
↳vmware-esxi-str-app-activity-vsansystem
↳vmware-esxi-str-app-activity-hostd
↳vmware-esxi-str-app-activity-success-storagermstatfile
| T1564.001 - T1564.001
T1564.002 - T1564.002
| |
| Lateral Movement | app-login
↳vmware-esxi-str-app-login-loggedin
↳vmware-esxi-str-app-login-success-vmauthd
↳vmware-esxi-str-endpoint-delete-removedvm
remote-logon
↳vmware-esxi-str-endpoint-login-success-accepted
security-alert
↳vmware-esxi-str-app-authentication-success-pushingto
| T1018 - Remote System Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1090.003 - Proxy: Multi-hop Proxy
T1550 - Use Alternate Authentication Material
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
| |
| Malware | app-login
↳vmware-esxi-str-app-login-loggedin
↳vmware-esxi-str-app-login-success-vmauthd
↳vmware-esxi-str-endpoint-delete-removedvm
registry-write
↳vmware-esxi-str-app-activity-hostd-1
↳vmware-esxi-str-app-activity-info
↳vmware-esxi-str-app-activity-vpxa
↳vmware-esxi-str-app-activity-vpxd
↳vmware-esxi-mix-app-activity-sub
↳vmware-esxi-str-app-activity-vsand
↳vmware-esxi-str-app-activity-vsansystem
↳vmware-esxi-str-app-activity-hostd
↳vmware-esxi-str-app-activity-success-storagermstatfile
remote-logon
↳vmware-esxi-str-endpoint-login-success-accepted
security-alert
↳vmware-esxi-str-app-authentication-success-pushingto
| T1078 - Valid Accounts
T1112 - Modify Registry
T1547.001 - T1547.001
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
| |
| Privilege Abuse | account-password-change
↳vmware-esxi-str-endpoint-activity-success-vmwipmi
↳vmware-esxi-str-endpoint-activity-success-localcli
↳vmware-esxi-str-endpoint-activity-success-crxcli
↳vmware-esxi-str-endpoint-activity-success-configstore
↳vmware-esxi-str-endpoint-activity-success-providermanager
↳vmware-esxi-str-endpoint-activity-success-userworldcorrelator
↳vmware-esxi-str-endpoint-activity-vmkernel
↳vmware-esxi-str-http-close-6876
↳vmware-esxi-str-network-session-fail-iofiltervpd
↳vmware-esxi-str-app-login-fail-invalidcredentials
↳vmware-esxi-str-app-notification-lookingfordc
↳vmware-esxi-str-app-notification-success-vmfscorrupted
↳vmware-esxi-str-app-notification-success-storagermfailreplaceslot
↳vmware-esxi-str-app-notification-success-root
↳vmware-esxi-str-app-notification-success-storagermreplace
↳vmware-esxi-kv-app-notification-success-esxupdate
↳vmware-esxi-str-app-notification-failed
↳vmware-esxi-str-app-notification-vmkwarning
↳vmware-esxi-str-app-notification-vsantraceurgent
↳vmware-esxi-str-app-notification-success-fil3invalid
↳vmware-esxi-str-app-logout-hostd
↳vmware-esxi-kv-app-logout-success-loggedout
↳vmware-esxi-str-app-logout-loggedout
app-login
↳vmware-esxi-str-app-login-loggedin
↳vmware-esxi-str-app-login-success-vmauthd
↳vmware-esxi-str-endpoint-delete-removedvm
remote-logon
↳vmware-esxi-str-endpoint-login-success-accepted
| T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
| |
| Privileged Activity | app-login
↳vmware-esxi-str-app-login-loggedin
↳vmware-esxi-str-app-login-success-vmauthd
↳vmware-esxi-str-endpoint-delete-removedvm
remote-logon
↳vmware-esxi-str-endpoint-login-success-accepted
security-alert
↳vmware-esxi-str-app-authentication-success-pushingto
| T1021 - Remote Services
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1078.002 - T1078.002
| |