ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
Sigma rule (View on GitHub)
1title: ESXi Admin Permission Assigned To Account Via ESXCLI
2id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
3status: test
4description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
5references:
6 - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-09-04
9tags:
10 - attack.execution
11logsource:
12 category: process_creation
13 product: linux
14detection:
15 selection:
16 Image|endswith: '/esxcli'
17 CommandLine|contains: 'system'
18 CommandLine|contains|all:
19 - ' permission '
20 - ' set'
21 - 'Admin'
22 condition: selection
23falsepositives:
24 - Legitimate administration activities
25level: high
References
-
Command Description Options Help system account add Create a new local user account. --description | -d User description, e.g. full name. --id | -i User ID, e.g. "administrator". (required) --passw...
Read More
Related rules
- ESXi VM Kill Via ESXCLI
- Potential File Extension Spoofing Using Right-to-Left Override
- Python Reverse Shell Execution Via PTY And Socket Modules
- Python Spawning Pretty TTY Via PTY Module
- Antivirus Exploitation Framework Detection