Adversaries may create local accounts on ESXi hosts using esxcli to establish persistence or escalate privileges. SOC teams should proactively hunt for this behavior to identify potential compromise of virtualization infrastructure.
Detection Rule
title: ESXi Account Creation Via ESXCLI
id: b28e4eb3-8bbc-4f0c-819f-edfe8e2f25db
status: test
description: Detects user account creation on ESXi system via esxcli
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-08-22
tags:
- attack.persistence
- attack.execution
- attack.t1136
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'system '
- 'account '
- 'add '
condition: selection
falsepositives:
- Legitimate administration activities
level: medium
imProcessCreate
| where TargetProcessName endswith "/esxcli" and (TargetProcessCommandLine contains "system " and TargetProcessCommandLine contains "account " and TargetProcessCommandLine contains "add ")Scenario: Scheduled Job Configuration via ESXCLI
Description: An administrator uses esxcli to configure a scheduled job that requires creating a temporary user account for automation purposes.
Filter/Exclusion: Check for the presence of --username in the command line and ensure the account is deleted shortly after creation using a script or job scheduler.
Scenario: ESXi Host Profile Application
Description: A host profile is applied to multiple ESXi hosts, which includes predefined user accounts for management and monitoring tools.
Filter/Exclusion: Filter by the source of the command (e.g., esxcli invoked via esxcli in a host profile or via vicfg), or check for the presence of --profile or --host in the command line.
Scenario: ESXi Backup or Recovery Task
Description: A backup or recovery tool (e.g., Veeam, Vizioncore) uses esxcli to create a temporary admin account during the restore process.
Filter/Exclusion: Check for the presence of --backup, --restore, or --recovery in the command line, or filter by the source IP of the tool.
Scenario: ESXi Host Patching via vSphere Client
Description: During a patching operation, the vSphere Client or PowerCLI invokes esxcli to create a temporary account for patching tasks.
Filter/Exclusion: Filter by the command line arguments related to patching (e.g., --patch, --update, --upgrade) or check for the presence of PowerCLI or vSphere Client in the command origin.
Scenario: ESXi User Management via vCenter Server
Description: An admin uses vCenter Server to manage ES