ESXi Admin Permission Assigned To Account Via ESXCLI

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

Sigma rule (View on GitHub)

 1title: ESXi Admin Permission Assigned To Account Via ESXCLI
 2id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
 3status: test
 4description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
 5references:
 6    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023-09-04
 9tags:
10    - attack.execution
11    - attack.privilege-escalation
12    - attack.t1059.012
13    - attack.t1098
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection:
19        Image|endswith: '/esxcli'
20        CommandLine|contains: 'system'
21        CommandLine|contains|all:
22            - ' permission '
23            - ' set'
24            - 'Admin'
25    condition: selection
26falsepositives:
27    - Legitimate administration activities
28level: high

References

Related rules

to-top