ESXi Syslog Configuration Change Via ESXCLI

 1title: ESXi Syslog Configuration Change Via ESXCLI
 2id: 38eb1dbb-011f-40b1-a126-cf03a0210563
 3status: experimental
 4description: Detects changes to the ESXi syslog configuration via "esxcli"
 5references:
 6    - https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US
 7    - https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html
 8author: Cedric Maurugeon
 9date: 2023/09/04
10tags:
11    - attack.defense_evasion
12    - attack.t1562.001
13    - attack.t1562.003
14logsource:
15    category: process_creation
16    product: linux
17detection:
18    selection:
19        Image|endswith: '/esxcli'
20        CommandLine|contains|all:
21            - 'system'
22            - 'syslog'
23            - 'config'
24        CommandLine|contains: ' set'
25    condition: selection
26falsepositives:
27    - Legitimate administrative activities
28level: medium

References

• Success Center

  Loading ×Sorry to interrupt CSS Error Refresh

  
  Read More

• Online Documentation - ESXi 7.0 ESXCLI Command Reference - VMware {code}

  ESXi 7.0 ESXCLI Command Reference The document does not exist or no topics available. Display Table of Contents No results found, please try refining your search.

  
  Read More

Related rules

• Suspicious Service Installed
• Disable Exploit Guard Network Protection on Windows Defender
• Disable PUA Protection on Windows Defender
• Disable Privacy Settings Experience in Registry
• Disable Sysmon Event Logging Via Registry