Devcon Execution Disabling VMware VMCI Device

Rule Info

Name
Devcon Execution Disabling VMware VMCI Device
Author
Matt Anderson, Dray Agha, Anna Pham (Huntress)
Description
Detects execution of devcon.exe with commands that disable the VMware Virtual Machine Communication Interface (VMCI) device. This can be legitimate during VMware Tools troubleshooting or driver conflicts, but may also indicate malware attempting to hijack communication with the hardware via the VMCI device. This has been used to facilitate VMware ESXi vulnerability exploits to escape VMs and execute code on the ESXi host.
Reference
https://learn.microsoft.com/en-us/windows-hardware/drivers/devtest/devcon
Date
2026-01-02 00:00:00
Modified
None
Id
85f520e7-6f5e-43ca-874c-222e5bf9c0de
Tags
attack.defense-evasion attack.persistence attack.privilege-escalation attack.t1543.003 attack.t1562.001
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=85f520e7-6f5e-43ca-874c-222e5bf9c0de

Rule History

Author
Title
Date
Commit
Matt Anderson
Merge PR #5834 from @MATTANDERS0N - Add Devcon and KDU Execution Rules
2026-01-24
30aebbb65
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022