Vendor: VMwareNovember 29, 2023 · View on GitHubProduct: VMware ESXi RulesModelsMITRE ATT&CK® TTPsActivity TypesParsers146622566 Use-CaseActivity Types/ParsersMITRE ATT&CK® TTPContentAbnormal Authentication & Accessaccount-password-change ↳vmware-esxi-str-endpoint-activity-success-vmwipmi ↳vmware-esxi-str-endpoint-activity-success-localcli ↳vmware-esxi-str-endpoint-activity-success-crxcli ↳vmware-esxi-str-endpoint-activity-success-configstore ↳vmware-esxi-str-endpoint-activity-success-providermanager ↳vmware-esxi-str-endpoint-activity-success-userworldcorrelator ↳vmware-esxi-str-endpoint-activity-vmkernel ↳vmware-esxi-str-http-close-6876 ↳vmware-esxi-str-network-session-fail-iofiltervpd ↳vmware-esxi-str-app-login-fail-invalidcredentials ↳vmware-esxi-str-app-notification-lookingfordc ↳vmware-esxi-str-app-notification-success-vmfscorrupted ↳vmware-esxi-str-app-notification-success-storagermfailreplaceslot ↳vmware-esxi-str-app-notification-success-root ↳vmware-esxi-str-app-notification-success-storagermreplace ↳vmware-esxi-kv-app-notification-success-esxupdate ↳vmware-esxi-str-app-notification-failed ↳vmware-esxi-str-app-notification-vmkwarning ↳vmware-esxi-str-app-notification-vsantraceurgent ↳vmware-esxi-str-app-notification-success-fil3invalid ↳vmware-esxi-str-app-logout-hostd ↳vmware-esxi-kv-app-logout-success-loggedout ↳vmware-esxi-str-app-logout-loggedout app-login ↳vmware-esxi-str-app-login-loggedin ↳vmware-esxi-str-app-login-success-vmauthd ↳vmware-esxi-str-endpoint-delete-removedvm remote-logon ↳vmware-esxi-str-endpoint-login-success-acceptedT1021 - Remote ServicesT1078 - Valid AccountsT1078.002 - T1078.002T1078.003 - Valid Accounts: Local AccountsT1133 - External Remote Services32 Rules14 ModelsAccount Manipulationaccount-password-change ↳vmware-esxi-str-endpoint-activity-success-vmwipmi ↳vmware-esxi-str-endpoint-activity-success-localcli ↳vmware-esxi-str-endpoint-activity-success-crxcli ↳vmware-esxi-str-endpoint-activity-success-configstore ↳vmware-esxi-str-endpoint-activity-success-providermanager ↳vmware-esxi-str-endpoint-activity-success-userworldcorrelator ↳vmware-esxi-str-endpoint-activity-vmkernel ↳vmware-esxi-str-http-close-6876 ↳vmware-esxi-str-network-session-fail-iofiltervpd ↳vmware-esxi-str-app-login-fail-invalidcredentials ↳vmware-esxi-str-app-notification-lookingfordc ↳vmware-esxi-str-app-notification-success-vmfscorrupted ↳vmware-esxi-str-app-notification-success-storagermfailreplaceslot ↳vmware-esxi-str-app-notification-success-root ↳vmware-esxi-str-app-notification-success-storagermreplace ↳vmware-esxi-kv-app-notification-success-esxupdate ↳vmware-esxi-str-app-notification-failed ↳vmware-esxi-str-app-notification-vmkwarning ↳vmware-esxi-str-app-notification-vsantraceurgent ↳vmware-esxi-str-app-notification-success-fil3invalid ↳vmware-esxi-str-app-logout-hostd ↳vmware-esxi-kv-app-logout-success-loggedout ↳vmware-esxi-str-app-logout-loggedoutT1098 - Account Manipulation1 RulesPrivilege Escalationremote-logon ↳vmware-esxi-str-endpoint-login-success-acceptedT1078 - Valid AccountsT1555.005 - T1555.0052 Rules1 ModelsRansomwareapp-login ↳vmware-esxi-str-app-login-loggedin ↳vmware-esxi-str-app-login-success-vmauthd ↳vmware-esxi-str-endpoint-delete-removedvm remote-logon ↳vmware-esxi-str-endpoint-login-success-acceptedT1078 - Valid Accounts1 RulesNext Page -->> MITRE ATT&CK® Framework for Enterprise Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpactExternal Remote ServicesValid AccountsExploit Public Fasing ApplicationExternal Remote ServicesValid AccountsHijack Execution FlowAccount ManipulationBoot or Logon Autostart ExecutionValid AccountsExploitation for Privilege EscalationHijack Execution FlowBoot or Logon Autostart ExecutionHide ArtifactsObfuscated Files or Information: Indicator Removal from ToolsValid AccountsModify RegistryUse Alternate Authentication MaterialUse Alternate Authentication Material: Pass the HashUse Alternate Authentication Material: Pass the TicketObfuscated Files or InformationHijack Execution FlowValid Accounts: Local AccountsSteal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: KerberoastingRemote System DiscoveryRemote ServicesUse Alternate Authentication MaterialData from Information RepositoriesProxy: Multi-hop ProxyProxy