ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
Sigma rule (View on GitHub)
1title: ESXi Admin Permission Assigned To Account Via ESXCLI
2id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
3status: test
4description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
5references:
6 - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023-09-04
9tags:
10 - attack.execution
11 - attack.privilege-escalation
12 - attack.t1059.012
13 - attack.t1098
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection:
19 Image|endswith: '/esxcli'
20 CommandLine|contains: 'system'
21 CommandLine|contains|all:
22 - ' permission '
23 - ' set'
24 - 'Admin'
25 condition: selection
26falsepositives:
27 - Legitimate administration activities
28level: high
References
Related rules
- ESXi Account Creation Via ESXCLI
- ESXi Network Configuration Discovery Via ESXCLI
- ESXi Storage Information Discovery Via ESXCLI
- ESXi Syslog Configuration Change Via ESXCLI
- ESXi System Information Discovery Via ESXCLI