.. /pvecm

Star

pvecm (Proxmox VE Cluster Manager) manages Proxmox VE cluster operations including node membership, quorum, and corosync configuration. Adversaries can use pvecm to enumerate cluster topology, identify all nodes for lateral movement, and understand the cluster authentication infrastructure.

Paths

• /usr/bin/pvecm

Resources

• https://pve.proxmox.com/pve-docs/pvecm.1.html
• https://pve.proxmox.com/wiki/Cluster_Manager

Acknowledgements

• ZephrFish

Discovery

1. Display cluster status including quorum, node membership, and ring status.

   pvecm status

   Use Case Enumerate cluster topology to identify all nodes and their status for lateral movement planning.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pvecm status

   • pvecm status 2>/dev/null || echo "Standalone node"

   ATT&CK Technique T1082

2. List all nodes in the cluster with their node ID, name, and status.

   pvecm nodes

   Use Case Identify all cluster members for comprehensive infrastructure enumeration.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1082

3. Read the corosync configuration file containing cluster node IPs and authentication settings.

   cat /etc/pve/corosync.conf

   Use Case Extract cluster node IP addresses and network configuration for lateral movement.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • cat /etc/pve/corosync.conf

   • grep -E "ring0_addr|name" /etc/pve/corosync.conf

   ATT&CK Technique T1082

Impact

1. Set expected votes for quorum calculation.

   pvecm expected {votes}

   Use Case Manipulation of cluster quorum to enable operations without full consensus (potentially disruptive).

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1489