ESXi VM Kill Via ESXCLI

calendar May 21, 2025 · attack.execution attack.impact attack.t1059.012 attack.t1529  ·
Share on: linkedin copy

Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.

Sigma rule (View on GitHub)

 1title: ESXi VM Kill Via ESXCLI
 2id: 2992ac4d-31e9-4325-99f2-b18a73221bb2
 3status: test
 4description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
 5references:
 6    - https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
 7    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
 8    - https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
 9    - https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
10author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
11date: 2023-09-04
12tags:
13    - attack.execution
14    - attack.impact
15    - attack.t1059.012
16    - attack.t1529
17logsource:
18    category: process_creation
19    product: linux
20detection:
21    selection:
22        Image|endswith: '/esxcli'
23        CommandLine|contains|all:
24            - 'vm process'
25            - 'kill'
26    condition: selection
27falsepositives:
28    - Legitimate administration activities
29level: medium

References

Related rules

to-top