Splunk

ESXi Bulk VM Termination

Last updated 2 days ago on 2026-07-17

About

This detection identifies when all virtual machines on an ESXi host are abruptly terminated, which may indicate malicious activity such as a deliberate denial-of-service, ransomware staging, or an attempt to destroy critical workloads.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
False Positives
Limited false positives in most environments, however tune as needed.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`esxi_syslog` | rex field=_raw "\s\[(?<user>[^\]]+)\]:\s(?<shell_command>.+)$" | rex field=_raw "Z (?<dest>[\w\.]+)\s.*:\s(?<esxicli_Command>esxcli\s.+)" | eval command=mvappend(esxicli_Command, shell_Command) | where isnotnull(command) | search (command="pkill -9 vmx-*") OR ( command="*esxcli*" AND command="*--format-param*" AND command="*vm process list*" AND command="*awk*" AND command="*esxcli vm process kill*") | stats min(_time) as firstTime max(_time) as lastTime values(_time) as timeStamp values(command) as commands values(user) as user by dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_bulk_vm_termination_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).