Virtual Machine Suspended Via VMdumper

Rule Info

Name
Virtual Machine Suspended Via VMdumper
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of "VMdumper" with the "suspend_v" flag, which allows a user to suspend a running running virtual machine pn ESXi servers. The LockBit ransomware was seen using this technique before encrypting the VMs.
Reference
https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
Date
2024-08-14 00:00:00
Modified
None
Id
09234c6b-4b49-4564-886a-2704f5a0b48e
Tags
attack.execution
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022