ESXi Syslog Configuration Change Via ESXCLI

Sep 7, 2023 · attack.defense_evasion attack.t1562.001 attack.t1562.003 ·

Detects changes to the ESXi syslog configuration via "esxcli"

Sigma rule (View on GitHub)

 1title: ESXi Syslog Configuration Change Via ESXCLI
 2id: 38eb1dbb-011f-40b1-a126-cf03a0210563
 3status: experimental
 4description: Detects changes to the ESXi syslog configuration via "esxcli"
 5references:
 6    - https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US
 7    - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html
 8author: Cedric Maurugeon
 9date: 2023/09/04
10tags:
11    - attack.defense_evasion
12    - attack.t1562.001
13    - attack.t1562.003
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection:
19        Image|endswith: '/esxcli'
20        CommandLine|contains|all:
21            - 'system'
22            - 'syslog'
23            - 'config'
24        CommandLine|contains: ' set'
25    condition: selection
26falsepositives:
27    - Legitimate administrative activities
28level: medium

References

Success Center

Loading ×Sorry to interrupt CSS Error Refresh

Read More
ESXCLI Reference - ESXi 7.0 ESXCLI Command Reference

ESXCLI Reference The ESXCLI command set allows you to run common system administration commands against vSphere systems from an administration server of your choice. The actual list of commands dep...

Read More

ESXi Syslog Configuration Change Via ESXCLI

Sigma rule (View on GitHub)

References

Success Center

ESXCLI Reference - ESXi 7.0 ESXCLI Command Reference

Related rules