ESXi Admin Permission Assigned To Account Via ESXCLI

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

Sigma rule (View on GitHub)

 1title: ESXi Admin Permission Assigned To Account Via ESXCLI
 2id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
 3status: test
 4description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
 5references:
 6    - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html
 7author: Nasreddine Bencherchali (Nextron Systems)
 8date: 2023/09/04
 9tags:
10    - attack.execution
11logsource:
12    category: process_creation
13    product: linux
14detection:
15    selection:
16        Image|endswith: '/esxcli'
17        CommandLine|contains: 'system'
18        CommandLine|contains|all:
19            - ' permission '
20            - ' set'
21            - 'Admin'
22    condition: selection
23falsepositives:
24    - Legitimate administration activities
25level: high

References

Related rules

to-top