Rule Info
Name
Enumerate All Virtual Machines Via Vim-Cmd
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of "vim-cmd" with the "vmsvc/getallvms" flag, in order to enumerate all virtual machines that are registered on an ESXi host. This command was seen being used by ransomware operators to collect all VM ids, to initiate their shutdown afterwards.
Reference
Date
2024-08-14 00:00:00
Modified
None
Id
89ea07fb-32e0-4c32-862f-fe9a881186c4
Tags
attack.execution
Type
Nextron Sigma feed only (private)