Virtual Machine Power Off Via Vim-Cmd

Rule Info

Name
Virtual Machine Power Off Via Vim-Cmd
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of "vim-cmd" with the "vmsvc/power.off" flag, to power off a virtual machine that is running on an ESXi host. This command was seen being used by ransomware operators to power off vms and initiate the encryption process.
Date
2024-08-14 00:00:00
Modified
None
Id
e9777d96-9b2f-4e59-8099-63479c00d260
Tags
attack.execution
Type
Nextron Sigma feed only (private)

Rule History