sigmahighHunting

ESXi Admin Permission Assigned To Account Via ESXCLI

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

MITRE ATT&CK

T1059.012 T1098

persistenceexecutionprivilege-escalation

Detection Query

selection:
  Image|endswith: /esxcli
  CommandLine|contains: system
  CommandLine|contains|all:
    - " permission "
    - " set"
    - Admin
condition: selection

Author

Nasreddine Bencherchali (Nextron Systems)

Created

2023-09-04

Data Sources

linuxProcess Creation Events

Platforms

linux

References

https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html

Tags

attack.persistenceattack.executionattack.privilege-escalationattack.t1059.012attack.t1098

Raw Content

title: ESXi Admin Permission Assigned To Account Via ESXCLI
id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
status: test
description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
references:
    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
tags:
    - attack.persistence
    - attack.execution
    - attack.privilege-escalation
    - attack.t1059.012
    - attack.t1098
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        Image|endswith: '/esxcli'
        CommandLine|contains: 'system'
        CommandLine|contains|all:
            - ' permission '
            - ' set'
            - 'Admin'
    condition: selection
falsepositives:
    - Legitimate administration activities
level: high