ESXi Auto-Start Feature Disabled Via Vim-Cmd

Rule Info

Name
ESXi Auto-Start Feature Disabled Via Vim-Cmd
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of "vim-cmd" with the "hostsvc/autostartmanager/enable_autostart" flag, in order to disable the auto-start feature. If disabled, when the host reboots (e.g., after maintenance, power outage, or crash), the virtual machines will not automatically start.
Reference
https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
Date
2024-08-14 00:00:00
Modified
None
Id
40369a59-36c6-424e-914f-e41d462e9a9a
Tags
attack.execution
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022