.. /pveum

Star

pveum (Proxmox VE User Manager) manages users, groups, roles, and permissions in Proxmox VE. Adversaries can use pveum to enumerate accounts, create backdoor users, escalate privileges, and manipulate access controls for persistence.

Paths

• /usr/bin/pveum

Resources

• https://pve.proxmox.com/pve-docs/pveum.1.html
• https://pve.proxmox.com/wiki/User_Management

Detection

• Monitor /etc/pve/user.cfg for changes
• Alert on new user creation or ACL modifications
• Watch for API token creation

Acknowledgements

• ZephrFish

Account Enumeration

1. List all users configured in Proxmox VE.

   pveum user list

   Use Case Enumerate all user accounts to identify targets for credential attacks.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pveum user list

   • pveum user list --output-format=json-pretty

   ATT&CK Technique T1087.001

Permission Enumeration

1. List all access control list entries showing permissions.

   pveum acl list

   Use Case Map permission structure to identify privilege escalation paths.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1069.001

Persistence

1. Create a new user account.

   pveum user add {userid}@{realm} --password {password}

   Use Case Create backdoor accounts for persistent access.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pveum user add backdoor@pve --password secret123

   • pveum user add svc-backup@pam --password P@ssw0rd --comment "Backup Service"

   ATT&CK Technique T1136.001

2. Create an API token for a user.

   pveum user token add {userid}@{realm} {tokenid}

   Use Case Create API tokens for persistent API access without passwords.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pveum user token add root@pam backdoor --privsep=0

   • pveum user token add backdoor@pve api-access

   ATT&CK Technique T1098.001

Privilege Escalation

1. Grant administrative privileges to a user.

   pveum acl modify / --roles Administrator --users {user}@{realm}

   Use Case Escalate privileges for a controlled account to full administrator.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pveum acl modify / --roles Administrator --users backdoor@pve

   • pveum acl modify /vms/100 --roles PVEVMAdmin --users attacker@pam

   ATT&CK Technique T1098

2. Create a custom role with specific privileges.

   pveum role add {rolename} --privs {privileges}

   Use Case Create custom roles with specific privileges for stealthy access.

   Privileges Required Administrator

   Operating System Proxmox VE

   Procedural Examples

   • pveum role add BackdoorRole --privs "VM.PowerMgmt,VM.Console,VM.Audit"

   ATT&CK Technique T1098

Discovery

1. List all groups configured in Proxmox VE.

   pveum group list

   Use Case Enumerate groups to understand organizational structure and target high-privilege groups.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1069.001

Credential Access

1. Read the user configuration file directly.

   cat /etc/pve/user.cfg

   Use Case Extract user configuration including group memberships and role assignments.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1552.001

2. Read API token configuration file.

   cat /etc/pve/priv/token.cfg

   Use Case Extract API tokens for unauthorized access.

   Privileges Required Administrator

   Operating System Proxmox VE
   ATT&CK Technique T1552.001