ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
Sigma rule (View on GitHub)
1title: ESXi Admin Permission Assigned To Account Via ESXCLI
2id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
3status: test
4description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
5references:
6 - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-09-04
9tags:
10 - attack.persistence
11 - attack.execution
12 - attack.privilege-escalation
13 - attack.t1059.012
14 - attack.t1098
15logsource:
16 category: process_creation
17 product: linux
18detection:
19 selection:
20 Image|endswith: '/esxcli'
21 CommandLine|contains: 'system'
22 CommandLine|contains|all:
23 - ' permission '
24 - ' set'
25 - 'Admin'
26 condition: selection
27falsepositives:
28 - Legitimate administration activities
29level: high
References
-
Command Description Options Help system account add Create a new local user account. --description | -d User description, e.g. full name. --id | -i User ID, e.g. "administrator". (required) --passw...
Read More
Related rules
- Password Set to Never Expire via WMI
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted