LoFP LoFP / limited false positives in most environments, however tune as needed.

Sample rules

ESXi Download Errors

Description

This detection identifies failed file download attempts on ESXi hosts by looking for specific error messages in the system logs. These failures may indicate unauthorized or malicious attempts to install or update components—such as VIBs or scripts

Detection logic

`esxi_syslog` Message IN ("*Download failed*", "*Failed to download file*", "*File download error*", "*Could not download*") 
| rex field=_raw "Z (?<dest>[\w\.]*)\s" 
| stats min(_time) as firstTime max(_time) as lastTime count by dest Message 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_download_errors_filter`

ESXi Encryption Settings Modified

Description

Detects the disabling of critical encryption enforcement settings on an ESXi host, such as secure boot or executable verification requirements, which may indicate an attempt to weaken hypervisor integrity or allow unauthorized code execution.

Detection logic

`esxi_syslog` Message="*system settings encryption set*" NOT Message="*shell.*" Message IN ("* -s *", "* -e *","*--require-secure-boot*", "*require-exec-installed-only*", "execInstalledOnly") 
| rex field=_raw "Z (?<dest>[\w\.]*)\s.*\]: \[(?<user>\w+)\]:(?<command>.+)" 
| stats min(_time) as firstTime max(_time) as lastTime count by dest user command 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_encryption_settings_modified_filter`

ESXi Reverse Shell Patterns

Description

This detection looks for reverse shell string patterns on an ESXi host, which may indicate that a threat actor is attempting to establish remote control over the system.

Detection logic

`esxi_syslog` Message IN ("*bash -i >&*","*/dev/tcp/*","*/dev/udp/*", "*/socat exec:*","*socket(S,PF_INET*") OR (Message="*python -c*" AND Message="*import socket*") 
| rex field=_raw "Z (?<dest>[\w\.]+)\s" 
| stats min(_time) as firstTime max(_time) as lastTime count by dest Message 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_reverse_shell_patterns_filter`

ESXi Lockdown Mode Disabled

Description

This detection identifies when Lockdown Mode is disabled on an ESXi host, which can indicate that a threat actor is attempting to weaken host security controls. Disabling Lockdown Mode allows broader remote access via SSH or the host client and may precede further malicious actions such as data exfiltration, lateral movement, or VM tampering.

Detection logic

`esxi_syslog` Message IN ("*lockdownmode.disabled*", "*Administrator access to the host has been enabled*") 
| rex field=_raw "Z (?<dest>[\w\.]+)\s" 
| stats min(_time) as firstTime max(_time) as lastTime count by dest Message 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_lockdown_mode_disabled_filter`

ESXi Bulk VM Termination

Description

This detection identifies when all virtual machines on an ESXi host are abruptly terminated, which may indicate malicious activity such as a deliberate denial-of-service, ransomware staging, or an attempt to destroy critical workloads.

Detection logic

`esxi_syslog` 
| rex field=_raw "\s\[(?<user>[^\]]+)\]:\s(?<shell_command>.+)$" 
| rex field=_raw "Z (?<dest>[\w\.]+)\s.*:\s(?<esxicli_Command>esxcli\s.+)" 
| eval command=mvappend(esxicli_Command, shell_Command) 
| where isnotnull(command) 
| search (command="pkill -9 vmx-*") OR ( command="*esxcli*" AND command="*--format-param*" AND command="*vm process list*" AND command="*awk*" AND command="*esxcli vm process kill*") 
| stats min(_time) as firstTime max(_time) as lastTime values(_time) as timeStamp values(command) as commands values(user) as user by dest 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_bulk_vm_termination_filter`

ESXi SSH Brute Force

Description

This detection identifies signs of SSH brute-force attacks by monitoring for a high number of failed login attempts within a short time frame. Such activity may indicate an attacker attempting to gain unauthorized access through password guessing.

Detection logic

`esxi_syslog` Message="*Authentication failure for*" 
| rex "for (?<user>[\w]+) from (?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| rex field=_raw "Z (?<dest>[\w\.]+)\s" 
| bin _time span=5m 
| stats min(_time) as firstTime max(_time) as lastTime count by user, src_ip, dest 
| where count > 10 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_ssh_brute_force_filter`

ESXi Firewall Disabled

Description

This detection identifies when the ESXi firewall is disabled or set to permissive mode, which can expose the host to unauthorized access and network-based attacks. Such changes are often a precursor to lateral movement, data exfiltration, or the installation of malicious software by a threat actor.

Detection logic

`esxi_syslog` Message="*network firewall set*" AND Message="*enabled f*" 
| rex field=_raw "Z (?<dest>[\w\.]+)\s" 
| stats min(_time) as firstTime max(_time) as lastTime count by dest Message 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_firewall_disabled_filter`

ESXi Audit Tampering

Description

This detection identifies the use of the esxcli system auditrecords commands, which can be used to tamper with logging on an ESXi host. This action may indicate an attempt to evade detection or hinder forensic analysis by preventing the recording of system-level audit events.

Detection logic

`esxi_syslog` Message="*esxcli system auditrecords*" Message IN ("*remote*","*local*") NOT Message = "*[shell*" 
| rex field=_raw "Z (?<dest>[\w\.]+)\s" 
| rex field=_raw "[\w+]\]: (?<full_command>.*)" 
| rex field=full_command "\[(?<user>.*)]:\s(?<command>.*)" 
| stats min(_time) as firstTime max(_time) as lastTime count by dest user command 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_audit_tampering_filter`

ESXi Shared or Stolen Root Account

Description

This detection monitors for signs of a shared or potentially compromised root account on ESXi hosts by tracking the number of unique IP addresses logging in as root within a short time window. Multiple logins from different IPs in a brief period may indicate credential misuse, lateral movement, or account compromise.

Detection logic

`esxi_syslog` Message="*root*" Message="*logged in*" NOT Message="*root@127.0.0.1*" 
| rex field=_raw "root@(?<SrcIpAddr>\d{1,3}(?:\.\d{1,3}){3})" 
| rex field=_raw "Z (?<dest>[\w\.]+)\s" 
| bin _time span=15m 
| stats min(_time) as firstTime max(_time) as lastTime dc(SrcIpAddr) AS distinct_ip_count values(SrcIpAddr) AS SrcIps by dest 
| where distinct_ip_count > 1 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_shared_or_stolen_root_account_filter`

ESXi Syslog Config Change

Description

This detection identifies changes to the syslog configuration on an ESXi host using esxcli, which may indicate an attempt to disrupt log collection and evade detection.

Detection logic

`esxi_syslog` Message="*syslog config set*" AND Message="*esxcli*" 
| rex field=_raw "\].*\[\s*(?P<user>[^\]]+)\]:\s(?P<command>.+)" 
| rex field=_raw "Z (?<dest>[\w\.]+)\s" 
| stats min(_time) as firstTime max(_time) as lastTime count by dest user command 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_syslog_config_change_filter`

ESXi System Clock Manipulation

Description

This detection identifies a significant change to the system clock on an ESXi host, which may indicate an attempt to manipulate timestamps and evade detection or forensic analysis

Detection logic

`esxi_syslog` Message="*NTPClock*" AND Message="*system clock stepped*" 
| rex field=_raw "stepped to (?<epoch_time>\d+\.\d+),.+delta\s(?<delta>\d+)\s" 
| rex field=_raw "Z (?<dest>[\w\.]+)\s" 
| eval epoch_time=tonumber(epoch_time) 
| eval delta=tonumber(delta) 
| eval event_time=round(_time, 0) 
| eval direction=if(epoch_time < event_time, "backward", "forward") 
| eval original_time=if(direction=="backward", epoch_time + delta, epoch_time - delta) 
| eval stepped_to_str=strftime(epoch_time, "%Y-%m-%d %H:%M:%S") 
| eval original_time_str=strftime(original_time, "%Y-%m-%d %H:%M:%S") 
| stats min(_time) as firstTime max(_time) as lastTime count by dest direction original_time_str stepped_to_str epoch_time delta 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_system_clock_manipulation_filter`

ESXi Loghost Config Tampering

Description

This detection identifies changes to the syslog loghost configuration on an ESXi host, which may indicate an attempt to disrupt log forwarding and evade detection.

Detection logic

`esxi_syslog` Message="*Set called with key*" AND Message IN ("*Syslog.global.logHost*","*Syslog.global.logdir*") 
| rex field=_raw "key '(?<key>[^']+)', value '\"(?<value>[^\"]+)\"'" 
| rex field=_raw "Z (?<dest>[\w\.]+)\s" 
| stats min(_time) as firstTime max(_time) as lastTime count by dest key value 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_loghost_config_tampering_filter`