ESXi Syslog Configuration Change Via ESXCLI

 1title: ESXi Syslog Configuration Change Via ESXCLI
 2id: 38eb1dbb-011f-40b1-a126-cf03a0210563
 3status: test
 4description: Detects changes to the ESXi syslog configuration via "esxcli"
 5references:
 6    - https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US
 7    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
 8author: Cedric Maurugeon
 9date: 2023-09-04
10tags:
11    - attack.defense-evasion
12    - attack.execution
13    - attack.t1562.001
14    - attack.t1562.003
15    - attack.t1059.012
16logsource:
17    category: process_creation
18    product: linux
19detection:
20    selection:
21        Image|endswith: '/esxcli'
22        CommandLine|contains|all:
23            - 'system'
24            - 'syslog'
25            - 'config'
26        CommandLine|contains: ' set'
27    condition: selection
28falsepositives:
29    - Legitimate administrative activities
30level: medium

References

• Success Center

  Loading ×Sorry to interrupt CSS Error Refresh

  
  Read More

• ESXCLI Commands | ESXCLI Command Reference

  Command Description Options Help system account add Create a new local user account. --description | -d User description, e.g. full name. --id | -i User ID, e.g. "administrator". (required) --passw...

  
  Read More

Related rules

• Obfuscated PowerShell OneLiner Execution
• HackTool - Stracciatella Execution
• AMSI Bypass Pattern Assembly GetType
• HackTool - CobaltStrike BOF Injection Pattern
• Service StartupType Change Via PowerShell Set-Service