ESXi Account Creation Via ESXCLI
Detects user account creation on ESXi system via esxcli
Sigma rule (View on GitHub)
1title: ESXi Account Creation Via ESXCLI
2id: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db
3status: test
4description: Detects user account creation on ESXi system via esxcli
5references:
6 - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
7author: Cedric Maurugeon
8date: 2023-08-22
9tags:
10 - attack.persistence
11 - attack.execution
12 - attack.t1136
13 - attack.t1059.012
14logsource:
15 category: process_creation
16 product: linux
17detection:
18 selection:
19 Image|endswith: '/esxcli'
20 CommandLine|contains|all:
21 - 'system '
22 - 'account '
23 - 'add '
24 condition: selection
25falsepositives:
26 - Legitimate administration activities
27level: medium
References
-
Command Description Options Help system account add Create a new local user account. --description | -d User description, e.g. full name. --id | -i User ID, e.g. "administrator". (required) --passw...
Read More
Related rules
- ESXi Admin Permission Assigned To Account Via ESXCLI
- ESXi Network Configuration Discovery Via ESXCLI
- ESXi Storage Information Discovery Via ESXCLI
- ESXi Syslog Configuration Change Via ESXCLI
- ESXi System Information Discovery Via ESXCLI