.. /kill

Star

Allows manual termination of processes of interest.

• https://www.varonis.com/blog/vmware-esxi-in-the-line-of-ransomware-fire
• https://www.trellix.com/en-au/blogs/research/ransomhouse-am-see/

Terminate Process

1. Terminates processes on an ESXi Host

   kill -9 {process}

   Use case

   An adversary may list processes starting with vmx and then extracts the second column from the output and uses it to terminate the process. Further, research indicates that adversaries enumerate ssh sessions by non-root users and sends a kill signal 9 to terminate them. This ceases ssh sessions initiated by legitimate users and allows the adversary to operate further using root user account.

   Privileges required

   Administrator

   Operating systems

   ESXi

   Additional Procedural Examples

   • kill -9 $(ps | grep vmx | awk '{print $2}')

   • ps | grep sshd | grep -v -e grep -e root -e 12345 | awk {print "kill -9", $2} | sh

   ATT&CK® technique

   T1489

   
   

   Tags

   E-Crime: RansomHouse

   A RaaS group that uses MrAgent tool to target VMWARE ESXi hosts

   E-Crime: Nevada

   Nevada Ransomware operates via an an affiliate program and has been reported to have carried out a campaign targeting any ESXi machine that is exposed to the internet