heroui logo

ESXi VM Kill Via ESXCLI

Sigma Rules

View Source
Summary
This detection rule identifies the execution of the `esxcli` command with the `vm` and `kill` flags, which can be indicative of an unauthorized attempt to shut down or terminate a virtual machine (VM) on an ESXi server. The `esxcli` command-line interface is commonly used for managing ESXi hosts and their respective VMs, and the `kill` flag specifically aims to halt a running VM process. While legitimate administrators may use this command for maintenance or troubleshooting purposes, its usage in a suspicious context can signal a potential threat or attack against the virtualization infrastructure. Therefore, monitoring for this behavior is critical in environments utilizing ESXi servers, particularly to mitigate risks associated with emerging threats targeting hypervisors and VM environments.
Categories
  • Infrastructure
  • Cloud
  • Linux
Data Sources
  • Process
Created: 2023-09-04