heroui logo

ESXi Bulk VM Termination

Splunk Security Content

View Source
Summary
The 'ESXi Bulk VM Termination' detection rule is designed to identify potential malicious activity on VMware ESXi hosts by monitoring syslog data for instances where all virtual machines on a host are terminated abruptly. The rule uses a combination of regular expressions to extract relevant fields from the log entries, such as the user initiating the command and the specific ESXi commands executed. By searching for commands that indicate forced termination of VM processes (like 'pkill -9 vmx-*' and related esxcli commands), the rule aims to capture activities indicative of a denial-of-service attack, ransomware staging, or other harmful behaviors that could disrupt essential workloads. The implementation requires proper configuration of syslog forwarding from the ESXi host to Splunk, complemented by the installation of the VMware ESXi Logs Technology Add-on for field extraction and compatibility with the Common Information Model (CIM).
Categories
  • Infrastructure
Data Sources
  • Volume
ATT&CK Techniques
  • T1673
  • T1529
  • T1499
Created: 2025-05-12