Detectionhightest

ESXi Admin Permission Assigned To Account Via ESXCLI

Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Nasreddine Bencherchali (Nextron Systems)Created Mon Sep 049691f58d-92c1-4416-8bf3-2edd753ec9cflinux

Log Source

LinuxProcess Creation

ProductLinux← raw: linux

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        Image|endswith: '/esxcli'
        CommandLine|contains: 'system'
        CommandLine|contains|all:
            - ' permission '
            - ' set'
            - 'Admin'
    condition: selection

False Positives

Legitimate administration activities

References

Resolving title…

developer.broadcom.com

MITRE ATT&CK

Tactics

TA0003 · Persistence TA0002 · Execution TA0004 · Privilege Escalation

Techniques

T1098 · Account Manipulation

Other

attack.t1059.012

Rule Metadata

Rule ID

9691f58d-92c1-4416-8bf3-2edd753ec9cf

Status

test

Level

high

Type

Detection

Created

Mon Sep 04

Author

Nasreddine Bencherchali (Nextron Systems)

Path

rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml

Raw Tags

attack.persistenceattack.executionattack.privilege-escalationattack.t1059.012attack.t1098

View on GitHub