ESXi Syslog Configuration Change Via ESXCLI

calendar Nov 20, 2024 · attack.defense-evasion attack.t1562.001 attack.t1562.003  ·
Share on: linkedin copy

Detects changes to the ESXi syslog configuration via "esxcli"

Sigma rule (View on GitHub)

 1title: ESXi Syslog Configuration Change Via ESXCLI
 2id: 38eb1dbb-011f-40b1-a126-cf03a0210563
 3status: test
 4description: Detects changes to the ESXi syslog configuration via "esxcli"
 5references:
 6    - https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US
 7    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
 8author: Cedric Maurugeon
 9date: 2023-09-04
10tags:
11    - attack.defense-evasion
12    - attack.t1562.001
13    - attack.t1562.003
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection:
19        Image|endswith: '/esxcli'
20        CommandLine|contains|all:
21            - 'system'
22            - 'syslog'
23            - 'config'
24        CommandLine|contains: ' set'
25    condition: selection
26falsepositives:
27    - Legitimate administrative activities
28level: medium

References

Related rules

to-top