Expand ESXi Detections with ESXCli & VIM-CMD Detections

rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_default_action_changed.yml

@@ -0,0 +1,30 @@
+title: ESXi Firewall Default Action Set to Pass
+id: e0f2e697-0352-49a3-b488-11b3dcf1c9fd
+status: experimental
+description: Detects when the ESXi firewall default action is set to PASS instead of DROP.
+references:
+    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html
+    - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/
+author: Nathan Burns
+date: 2024-11-20
+tags:
+    - attack.t1562.004
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/esxcli'
+        CommandLine|contains|all:
+            - 'network'
+            - 'firewall'
+            - 'set'
+            - 'true'
+    selection_default_action_switch:
+        CommandLine|contains:
+            - '--default-action'
+            - '-d'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate system administration actions
+level: high

rules/linux/process_creation/proc_creation_lnx_esxcli_firewall_disable.yml

@@ -0,0 +1,30 @@
+title: ESXi Firewall Disabled via ESXCLI
+id: 18fba7a0-8f63-49d3-9fc4-6192fe34793c
+status: experimental
+description: Detects when the ESXi firewall is disabled via esxcli.
+references:
+    - https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html
+    - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/
+author: Nathan Burns
+date: 2024-11-20
+tags:
+    - attack.t1562.004
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/esxcli'
+        CommandLine|contains|all:
+            - 'network'
+            - 'firewall'
+            - 'set'
+            - 'false'
+    selection_enable_switch:
+        CommandLine|contains:
+            - '--enabled'
+            - '-e'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate system administration actions
+level: high

rules/linux/process_creation/proc_creation_lnx_vim_cmd_delete_snapshots.yml

@@ -0,0 +1,21 @@
+title: ESXi VM Snapshots Deleted via VIM-CMD
+id: c50a1afa-ce52-4ea2-9697-1b6d89e83c9a
+status: experimental
+description: Detects when vim-cmd is used to delete snapshots for an ESXi virtual machine.
+references:
+    - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/
+author: Nathan Burns
+date: 2024-11-21
+tags:
+    - attack.t1485
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/vim-cmd'
+        CommandLine|contains: 'vmsvc/snapshot.removeall'
+    condition: selection
+falsepositives:
+    - Legitimate system administration actions
+level: high

rules/linux/process_creation/proc_creation_lnx_vim_cmd_disable_autostart.yml

@@ -0,0 +1,25 @@
+title: ESXi VM Autostart Disabled via VIM-CMD
+id: 28f12744-6c57-4498-bfdc-aa727fbece49
+status: experimental
+description: Detects when vim-cmd is used to disable the autostart of an ESXi virtual machine.
+references:
+    - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/
+author: Nathan Burns
+date: 2024-11-22
+tags:
+    - attack.t1529
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection_img:
+        Image|endswith: '/vim-cmd'
+        CommandLine|contains: 'hostsvc/autostartmanager/enable_autostart'
+    selection_check:
+        CommandLine|contains:
+            - '0'
+            - 'false'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate system administration actions.
+level: high

rules/linux/process_creation/proc_creation_lnx_vim_cmd_enable_ssh.yml

@@ -0,0 +1,21 @@
+title: SSH Enable on ESXi Host via VIM-CMD
+id: fefed8a8-1cc0-46b1-9e62-5b5b32df9bb7
+status: experimental
+description: Detects when vim-cmd is used to enable SSH on an ESXi host.
+references:
+    - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/
+author: Nathan Burns
+date: 2024-11-22
+tags:
+    - attack.t1021.004
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/vim-cmd'
+        CommandLine|contains: 'hostsvc/enable_ssh'
+    condition: selection
+falsepositives:
+    - Legitimate system administration actions
+level: medium

rules/linux/process_creation/proc_creation_lnx_vim_cmd_power_off_vm.yml

@@ -0,0 +1,21 @@
+title: ESXi VM Powered Off via VIM-CMD
+id: 7e38eb5c-10b6-4853-bb8f-11163776401d
+status: experimental
+description: Detects when vim-cmd is used to power off an ESXi virtual machine.
+references:
+    - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/
+author: Nathan Burns
+date: 2024-11-22
+tags:
+    - attack.t1529
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/vim-cmd'
+        CommandLine|contains: 'vmsvc/power.off'
+    condition: selection
+falsepositives:
+    - Legitimate system administration actions.
+level: medium

rules/linux/process_creation/proc_creation_lnx_vim_cmd_system_discovery.yml

@@ -0,0 +1,23 @@
+title: ESXi System Information Discovery via VIM-CMD
+id: d1270942-f26a-476c-a391-0fa1d25315a8
+status: experimental
+description: Detects when vim-cmd is used to discover information of an ESXi host.
+references:
+    - https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/vim-cmd/
+author: Nathan Burns
+date: 2024-11-22
+tags:
+    - attack.t1082
+logsource:
+    category: process_creation
+    product: linux
+detection:
+    selection:
+        Image|endswith: '/vim-cmd'
+        CommandLine|contains:
+            - 'hostsvc/hostsummary'
+            - 'vmsvc/getallvms'
+    condition: selection
+falsepositives:
+    - Legitimate system administration actions
+level: medium