New Screenshot Saved Via VMdumper

Rule Info

Name
New Screenshot Saved Via VMdumper
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of "VMdumper" with the "screenshot" flag, which allows a user to take a screenshot of a running virtual machine on ESXi servers.
Reference
https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html
Date
2024-08-14 00:00:00
Modified
None
Id
59495904-b26c-4eea-b5fa-603f1ebc9df5
Tags
attack.execution
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022