This detection rule identifies the use of the 'esxcli' command with the 'storage' flag within ESXi infrastructure, aimed at revealing details regarding the storage status of virtual machines and the ESXi host system. The rule is particularly significant as it could indicate potentially malicious activity related to known ransomware families like DarkSide and LockBit, which have been reported to misuse this command to gather vital information that could aid in a targeted attack. The rule leverages process creation logs in a Linux environment and triggers on specific command line patterns associated with the execution of 'esxcli'. This detection can serve as an early warning for administrators, allowing them to investigate and respond to potential security incidents involved with unauthorized information retrieval.