LoFP LoFP / new local accounts being created in esxi is rare in most environments. tune as needed.

Techniques

Sample rules

ESXi Account Modified

Description

This detection identifies the creation, deletion, or modification of a local user account on an ESXi host. This activity may indicate unauthorized access, indicator removal, or persistence attempts by an attacker seeking to establish or maintain control of the host.

Detection logic

`esxi_syslog` Message="*esxcli system account*" Message IN ("*-i *","*--id*") NOT Message="*[shell*" 
| rex field=_raw "Z (?<dest>[\w\.]+)\s.*: \[(?<initial_user>\w+)]:\s.+-i[d]*\s(?<modified_user>[\w_\-0-9]+)" 
| stats min(_time) as firstTime max(_time) as lastTime count by dest initial_user modified_user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `esxi_account_modified_filter`