Delete Virtual Machine Snapshot Via Vim-Cmd

Rule Info

Name
Delete Virtual Machine Snapshot Via Vim-Cmd
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of "vim-cmd" with the "vmsvc/snapshot.removeall" flag, in order to remove all snapshots for a specific virtual machine on an ESXi host. This command was seen being used by ransomware operators in order to remove all snapshot before initiating the encryption process.
Reference
https://knowledge.broadcom.com/external/article/308360/performing-common-virtual-machinerelated.html
Date
2024-08-14 00:00:00
Modified
None
Id
2660d321-5144-435b-be3a-13240369fab2
Tags
attack.execution
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022