Sample rules
ESXi SSH Enabled
- source: splunk
- technicques:
- T1021.004
Description
This detection identifies SSH being enabled on ESXi hosts, which can be an early indicator of malicious activity. Threat actors often use SSH to gain persistent remote access after compromising credentials or exploiting vulnerabilities.
Detection logic
`esxi_syslog` Message="*SSH access has been enabled"
| rex field=_raw "Z (?<dest>[\w\.]+)\s"
| stats min(_time) as firstTime max(_time) as lastTime count by dest Message
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `esxi_ssh_enabled_filter`
ESXi Shell Access Enabled
- source: splunk
- technicques:
- T1021
Description
This detection identifies when the ESXi Shell is enabled on a host, which may indicate that a malicious actor is preparing to execute commands locally or establish persistent access. Enabling the shell outside of approved maintenance windows can be a sign of compromise or unauthorized administrative activity.
Detection logic
`esxi_syslog` Message="*ESXi Shell*" Message="*has been enabled*"
| rex field=_raw "'(?<user>\w+)@"
| rex field=_raw "Z (?<dest>[\w\.]+)\s"
| stats min(_time) as firstTime max(_time) as lastTime count by dest user Message
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `esxi_shell_access_enabled_filter`