limited false positives in most environments, however tune as needed. administrators may use the root account for troubleshooting or initial user creation.

t1078
infrastructure
splunk

Techniques

T1078

Sample rules

source: splunk
technicques:
- T1078

Description

This detection identifies instances where the ESXi UI is accessed using the root account instead of a delegated administrative user. Direct root access to the UI bypasses role-based access controls and auditing practices, and may indicate risky behavior, misconfiguration, or unauthorized activity by a malicious actor using compromised credentials.

Detection logic

`esxi_syslog` Message="*root*" AND Message="*logged in*" 
| rex field=_raw "root@(?<SrcIpAddr>\d{1,3}(?:\.\d{1,3}){3})" 
| rex field=_raw "Z (?<dest>[\w\.]+)\s" 
| search SrcIpAddr != "127.0.0.1" AND SrcIpAddr != 192.168.0.0/16 AND SrcIpAddr != 172.16.0.0/12 AND SrcIpAddr != 10.0.0.0/8 
| stats min(_time) as firstTime max(_time) as lastTime count by dest SrcIpAddr 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_external_root_login_activity_filter`

Techniques

Sample rules

ESXi External Root Login Activity

Description

Detection logic