Techniques
Sample rules
ESXi VIB Acceptance Level Tampering
- source: splunk
- technicques:
- T1562
Description
This detection identifies changes to the VIB (vSphere Installation Bundle) acceptance level on an ESXi host. Modifying the acceptance level, such as setting it to CommunitySupported, lowers the system’s integrity enforcement and may allow the installation of unsigned or unverified software.
Detection logic
`esxi_syslog` Message="*esxcli software acceptance set*" Message="*shell*"
| rex field=_raw "\]: \[(?<user>\w+)\]:(?<command>.+)"
| rex field=_raw "Z (?<dest>[\w\.]+)\s"
| stats min(_time) as firstTime max(_time) as lastTime count by dest user command
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `esxi_vib_acceptance_level_tampering_filter`