Adversaries may use ESXCLI to remotely terminate ESXi virtual machines, leveraging T1059.012 and T1529 to disrupt operations or cover their tracks. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential host-based attacks and prevent service disruption.
Detection Rule
title: ESXi VM Kill Via ESXCLI
id: 2992ac4d-31e9-4325-99f2-b18a73221bb2
status: test
description: Detects execution of the "esxcli" command with the "vm" and "kill" flag in order to kill/shutdown a specific VM.
references:
- https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_vm.html
- https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/
- https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html
author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
date: 2023-09-04
tags:
- attack.execution
- attack.impact
- attack.t1059.012
- attack.t1529
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'vm process'
- 'kill'
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
imProcessCreate
| where TargetProcessName endswith "/esxcli" and (TargetProcessCommandLine contains "vm process" and TargetProcessCommandLine contains "kill")Scenario: Scheduled VM Shutdown via ESXCLI
Description: An administrator uses esxcli system shutdown as part of a scheduled maintenance window to gracefully shut down a VM.
Filter/Exclusion: Check for the presence of a scheduled task or job ID in the command line, or filter by known maintenance windows.
Scenario: VM Guest Shutdown via ESXCLI by Admin
Description: A system administrator executes esxcli vm process kill to terminate a non-responsive VM guest process.
Filter/Exclusion: Filter by user account (e.g., root or admin) and check for VM names or UUIDs associated with known administrative tasks.
Scenario: ESXi Host Maintenance via CLI
Description: An admin runs esxcli system shutdown to power off an ESXi host during routine maintenance.
Filter/Exclusion: Filter by host name or IP address, and check for associated maintenance tickets or logs.
Scenario: Automated VM Health Check Job
Description: A scheduled job (e.g., vmHealthCheck.sh) uses esxcli to kill VM processes that are deemed unresponsive or unhealthy.
Filter/Exclusion: Filter by job name or script path, and check for presence of a known health check tool or script.
Scenario: VM Migration or vMotion Task
Description: During a vMotion or VM migration, the ESXi host may kill VM processes temporarily as part of the migration process.
Filter/Exclusion: Filter by VM name, migration task ID, or check for associated vMotion logs or timestamps.