ESXi Admin Permission Assigned To Account Via ESXCLI
Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
Sigma rule (View on GitHub)
1title: ESXi Admin Permission Assigned To Account Via ESXCLI
2id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
3status: experimental
4description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
5references:
6 - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html
7author: Nasreddine Bencherchali (Nextron Systems)
8date: 2023/09/04
9tags:
10 - attack.execution
11logsource:
12 category: process_creation
13 product: linux
14detection:
15 selection:
16 Image|endswith: '/esxcli'
17 CommandLine|contains: 'system'
18 CommandLine|contains|all:
19 - ' permission '
20 - ' set'
21 - 'Admin'
22 condition: selection
23falsepositives:
24 - Legitimate administration activities
25level: high
References
-
ESXCLI Reference The ESXCLI command set allows you to run common system administration commands against vSphere systems from an administration server of your choice. The actual list of commands dep...
Read More
Related rules
- ESXi VM Kill Via ESXCLI
- Qakbot Uninstaller Execution
- Possible Impacket DCOMExec Connection Attempt - Zeek
- Certificate Exported Via PowerShell
- Execution of Powershell Script in Public Folder