ESXi Vim-Cmd Remove Snapshots

Rule Info

Name
ESXi Vim-Cmd Remove Snapshots
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the use of vim-cmd to remove VM snapshots on ESXi hosts. Threat actors often remove VM snapshots before ransomware deployment to prevent recovery from recent backups, ensure maximum damage by eliminating restoration points, and make recovery more time-consuming and costly for victims. This activity is frequently automated as part of ransomware deployment chains.
Reference
https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/#inhibit%20recovery
Date
2025-05-22 00:00:00
Modified
None
Id
5733c5d9-d54f-4bd2-a32c-9b7e4b6f3214
Tags
attack.execution attack.t1675 attack.impact attack.t1485
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022