Description
An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, adversaries may enumerate a list of VMs on an ESXi hypervisor using a Hypervisor CLI such as esxcli or vim-cmd (e.g. esxcli vm process list or vim-cmd vmsvc/getallvms).(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)(Citation: TrendMicro Play) Adversaries may also directly leverage a graphical user interface, such as VMware vCenter, in order to view virtual machines on a host.
Adversaries may use the information from Virtual Machine Discovery during discovery to shape follow-on behaviors. Subsequently discovered VMs may be leveraged for follow-on activities such as Service Stop or Data Encrypted for Impact.(Citation: Crowdstrike Hypervisor Jackpotting Pt 2 2021)
Platforms
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1048 | UNC3886 | [UNC3886](https://attack.mitre.org/groups/G1048) has used scripts to enumerate ESXi hypervisors and their guest VMs.(Citation: Google Cloud Threat Int... |
Associated Software (4)
| ID | Name | Type | Context |
|---|---|---|---|
| S9019 | PureCrypter | Malware | [PureCrypter](https://attack.mitre.org/software/S9019) can identify virtual machines by querying the WMI object Win32_ComputerSystem for manufacturer ... |
| S1242 | Qilin | Malware | [Qilin](https://attack.mitre.org/software/S1242) can detect virtual machine environments including ESXi hosts, datacenters, and clusters within vCente... |
| S1217 | VIRTUALPITA | Malware | [VIRTUALPITA](https://attack.mitre.org/software/S1217) can target specific guest virtual machines for script execution.(Citation: Google Cloud Threat ... |
| S1096 | Cheerscrypt | Malware | Cheerscrypt has leveraged `esxcli vm process list` in order to gather a list of running virtual machines to terminate them.(Citation: Trend Micro Chee... |
References
- Cj Arsley Mateo, Darrel Tristan Virtusio, Sarah Pearl Camiling, Andrei Alimboyao, Nathaniel Morales, Jacob Santos, Earl John Bareng. (2024, July 19). Play Ransomware Group’s New Linux Variant Targets ESXi, Shows Ties With Prolific Puma. Retrieved March 26, 2025.
- Michael Dawson. (2021, August 30). Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware. Retrieved March 26, 2025.
Frequently Asked Questions
What is T1673 (Virtual Machine Discovery)?
T1673 is a MITRE ATT&CK technique named 'Virtual Machine Discovery'. It belongs to the Discovery tactic(s). An adversary may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, adversaries may enumerate a list of VMs on an ESXi hypervisor using a [H...
How can T1673 be detected?
Detection of T1673 (Virtual Machine Discovery) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1673?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1673?
Known threat groups using T1673 include: UNC3886.