ESXi Power Off VM via Vim-Cmd

Rule Info

Name
ESXi Power Off VM via Vim-Cmd
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects attempts to power off virtual machines using vim-cmd, which is commonly observed during ransomware attacks. This command can be used to shut down or power off virtual machines on ESXi hosts. Adversaries may use this technique to disrupt operations, cause data loss, or prepare the environment for further exploitation.
Reference
https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#power%20off%20vm
Date
2025-05-22 00:00:00
Modified
None
Id
456b5c1d-15d0-4411-9455-6e5c9f0dba6d
Tags
attack.execution attack.t1675 attack.impact attack.t1529
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022