ESXi VM Kill Via ESXCLI
Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
Sigma rule (View on GitHub)
1title: ESXi VM Kill Via ESXCLI
2id: 2992ac4d-31e9-4325-99f2-b18a73221bb2
3status: test
4description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
5references:
6 - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
7 - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
8 - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
9 - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
10author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
11date: 2023-09-04
12tags:
13 - attack.execution
14 - attack.impact
15 - attack.t1059.012
16 - attack.t1529
17logsource:
18 category: process_creation
19 product: linux
20detection:
21 selection:
22 Image|endswith: '/esxcli'
23 CommandLine|contains|all:
24 - 'vm process'
25 - 'kill'
26 condition: selection
27falsepositives:
28 - Legitimate administration activities
29level: medium
References
Related rules
- Silence.EDA Detection
- ESXi Account Creation Via ESXCLI
- ESXi Admin Permission Assigned To Account Via ESXCLI
- ESXi Network Configuration Discovery Via ESXCLI
- ESXi Storage Information Discovery Via ESXCLI