Vim Cmd | LOLESXi

Enable Service

Enables SSH services on the ESXi host

vim-cmd hostsvc/enable_ssh

Use case: SSH service enables adversaries to laterally move to ESXi hosts and use as an alternative command execution interface.

Privileges required: Administrator

Operating systems: ESXi

ATT&CK® technique: T1021.004

Disable Startup

Disable autostart of Virtual Machines

vim-cmd hostsvc/autostartmanager/enable_autostart false

Use case: Disabling autostart of Virtual Machines prevents them from starting post reboot of a ESXi host.

Privileges required: Administrator

Operating systems: ESXi

Additional Procedural Examples

vim-cmd hostsvc/autostartmanager/enable_autostart 0

ATT&CK® technique: T1529

System Information

Displays summary of system information about the ESXi host

vim-cmd hostsvc/hostsummary | grep cpuModel

Use case: Shows the exact cpuModel from the hostsummary output

Privileges required: Administrator

Operating systems: ESXi

ATT&CK® technique: T1082

Displays the list of VMs available on an ESXi host.

vim-cmd vmsvc/getallvms

Use case: Shows running VMs on an ESXi Host. Adversaries were seen use this techinique to programatically enumerate VMs and powers them down using the Vmid.

Privileges required: Administrator

Operating systems: ESXi

Additional Procedural Examples

/bin/sh -c “for vmid in $(vim-cmd vmsvc/getallvms | grep -v Vmid | awk '{print $1}'); do vim-cmd vmsvc/power.off $vmid; done"

for i in $(vim-cmd vmsvc/getallvms | awk '{print $1}' | grep -Eo '[0-9]{1,5}'); do vim-cmd vmsvc/power.off $i; vim-cmd vmsvc/snapshot.removeall $i; done;

ATT&CK® technique: T1082

Inhibit Recovery

Remove VM Snapshots

vim-cmd vmsvc/snapshot.removeall

Use case: Deletes all snapshots of all Virtual Machines. This activity is usually observed near ransomware deployment and is often executed programatically.

Privileges required: Administrator

Operating systems: ESXi

Additional Procedural Examples

for i in `vim-cmd vmsvc/getallvms| awk '{print$1}'`;do vim-cmd vmsvc/snapshot.removeall $i & done

vim-cmd vmsvc/snapshot.removeall %llu > /dev/null 2>&1

ATT&CK® technique: T1082

Power off VM

vim-cmd vmsvc/power.off

Use case: Powers off Virtual Machines. This activity is usually observed near ransomware deployment and is often executed programatically.

Privileges required: Administrator

Operating systems: ESXi

Additional Procedural Examples

vim-cmd vmsvc/getallvms | grep -o -E \'^[0-9]+\' | xargs -r -n 1 vim-cmd vmsvc/power.off

/bin/sh -c “for vmid in $(vim-cmd vmsvc/getallvms | grep -v Vmid | awk '{print $1}'); do vim-cmd vmsvc/power.off $vmid; done"

for i in $(vim-cmd vmsvc/getallvms | awk '{print $1}' | grep -Eo '[0-9]{1,5}'); do vim-cmd vmsvc/power.off $i; vim-cmd vmsvc/snapshot.removeall $i; done;

ATT&CK® technique: T1529

Tags: E-Crime: Lockbit
A RaaS who utilises initial access brokers to gain access to victims. Reported to targets critical infrastructure sectors, financial services, transportation, food and agriculture, education, energy, government and emergency services
E-Crime: Ransomhub
This function was tagged with "E-Crime: Ransomhub".
E-Crime: Blackcat
BlackCat (aka ALPHV,Noberus) ransomware is written in rust. Reported to have been created by a group of Russian-speaking cybercriminals
E-Crime: Qilin
Aka Agenda and is written in Golang. Uses double extortion technique and target large enterprises and high-value targets
E-Crime: Play
A group that uses double-extortion with capabilities to target ESXi hosts.Based on reporting this group has targeted mostly US entities in the past
E-Crime: Lynx
A RaaS group who shares code similarity of INC ransomware

.. /vim-cmd Star

Enable Service

Disable Startup

System Information

Inhibit Recovery

Power off VM

.. /vim-cmd
Star