ESXi VM Kill Via ESXCLI

calendar Sep 6, 2023 · attack.execution  ·
Share on: linkedin copy

Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.

Sigma rule (View on GitHub)

 1title: ESXi VM Kill Via ESXCLI
 2id: 2992ac4d-31e9-4325-99f2-b18a73221bb2
 3status: experimental
 4description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
 5references:
 6    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
 7    - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html
 8    - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
 9    - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
10author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
11date: 2023/09/04
12tags:
13    - attack.execution
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection:
19        Image|endswith: '/esxcli'
20        CommandLine|contains|all:
21            - 'vm process'
22            - 'kill'
23    condition: selection
24falsepositives:
25    - Legitimate administration activities
26level: medium

References

Related rules

to-top