Threat actors may attempt to enumerate running virtual machines (VMs) after gaining access to a host or hypervisor. For example, Threat actors may enumerate a list of VMs on an ESXi hypervisor using a Hypervisor CLI such as esxcli or vim-cmd (e.g. esxcli vm process list or vim-cmd vmsvc/getallvms). Threat actors may also directly leverage a graphical user interface, such as VMware vCenter, in order to view virtual machines on a host.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.