ESXi Account Creation Via ESXCLI
Detects user account creation on ESXi system via esxcli
Sigma rule (View on GitHub)
1title: ESXi Account Creation Via ESXCLI
2id: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db
3status: test
4description: Detects user account creation on ESXi system via esxcli
5references:
6 - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
7author: Cedric Maurugeon
8date: 2023-08-22
9tags:
10 - attack.persistence
11 - attack.t1136
12logsource:
13 category: process_creation
14 product: linux
15detection:
16 selection:
17 Image|endswith: '/esxcli'
18 CommandLine|contains|all:
19 - 'system '
20 - 'account '
21 - 'add '
22 condition: selection
23falsepositives:
24 - Legitimate administration activities
25level: medium
References
Related rules
- AWS ElastiCache Security Group Created
- Suspicious 'Admin' Local User Creation with Net Command
- App Assigned To Azure RBAC/Microsoft Entra Role
- Antivirus Web Shell Detection
- Potential Persistence Via AppCompat RegisterAppRestart Layer