sigmaDRL-1.1from SigmaHQ/sigma
ESXi Syslog Configuration Change Via ESXCLI
Detects changes to the ESXi syslog configuration via "esxcli"
Quality
100
FP risk
—
Forks
0
Views
0
Rule sourcerules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml
title: ESXi Syslog Configuration Change Via ESXCLI
id: 38eb1dbb-011f-40b1-a126-cf03a0210563
status: test
description: Detects changes to the ESXi syslog configuration via "esxcli"
references:
- https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.defense-evasion
- attack.execution
- attack.t1562.001
- attack.t1562.003
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'system'
- 'syslog'
- 'config'
CommandLine|contains: ' set'
condition: selection
falsepositives:
- Legitimate administrative activities
level: medium