Expand ESXi Detections with ESXCli & VIM-CMD Detections #5087
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
Rules
Linux
frack113
reviewed
Nov 29, 2024
rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml
Outdated
Show resolved
Hide resolved
rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml
Outdated
Show resolved
Hide resolved
frack113
added
the
Author Input Required
…_disable.yml Co-authored-by: frack113 <[email protected]>
…_default_action_changed.yml change from false to true, opps! Co-authored-by: frack113 <[email protected]>
|
@frack113 pushed requested modifications, let me know if there's anything else. Thanks! |
frack113
removed
the
Author Input Required
frack113
approved these changes
Dec 2, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of the Pull Request
This PR adds 7 new process creation detections focused on the the usage of built-in administrative tools in an ESXi system. These detections were developed and tested using ESXi v7.0 and log artifacts were collected from the built-in ESXi
/var/log/shell.logfile.Changelog
new: ESXi VM Snapshots Deleted via VIM-CMD
new: SSH Enable on ESXi Host via VIM-CMD
new: ESXi VM Autostart Disabled via VIM-CMD
new: ESXi VM Powered Off via VIM-CMD
new: ESXi System Information Discovery via VIM-CMD
new: ESXi Firewall Default Action Set to Pass
new: ESXi Firewall Disabled via ESXCLI
Example Log Event
ESXi VM Snapshots Deleted via VIM-CMD
Note: Any number of spaces can be present between
snapshot.removealland the VM id.SSH Enable on ESXi Host via VIM-CMD
ESXi VM Autostart Disabled via VIM-CMD
Note: There can be any number of spaces between
enable_autostartand either0orfalseESXi VM Powered Off via VIM-CMD
Note: There can be any number of spaces between
power.offand the VM ID.ESXi System Information Discovery via VIM-CMD
ESXi Firewall Default Action Set to Pass
Note:
--default-action=falseand--default-action falseare valid.Note: Any number of spaces can be present between
-d|--default-actionandfalseand the command will still be valid.ESXi Firewall Disabled via ESXCLI
Note: Any number of spaces can be present between
-e|--enableandfalseFixed Issues
SigmaHQ Rule Creation Conventions