This detection rule identifies the use of remote tools that download virtual machine disk files from the VMware ESXi datastore, potentially indicating an exfiltration attempt by malicious actors. The rule capitalizes on the fact that the NFC protocol used in ESXi management can be exploited for unauthorized data transfers. The detection mechanism relies on monitoring specific syslog entries that denote file downloads initiated from an ESXi environment. By extracting relevant fields from the logs such as the datastore name, virtual machine path, tool used for initiation, version of the tool, and the IP address of the initiator, the rule provides a comprehensive overview of the events leading to a VM export. This information is then aggregated to give insights into the frequency and timeline of such activities, helping security teams identify unauthorized access patterns and respond promptly to potential threats.