An adversary is likely escalating privileges by assigning ESXi admin permissions to a compromised account via ESXCLI to gain persistent, elevated access within the virtualization environment. SOC teams should proactively hunt for this behavior as it indicates potential lateral movement and persistence tactics commonly used in advanced persistent threats targeting VMware infrastructure.
Detection Rule
title: ESXi Admin Permission Assigned To Account Via ESXCLI
id: 9691f58d-92c1-4416-8bf3-2edd753ec9cf
status: test
description: Detects execution of the "esxcli" command with the "system" and "permission" flags in order to assign admin permissions to an account.
references:
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023-09-04
tags:
- attack.persistence
- attack.execution
- attack.privilege-escalation
- attack.t1059.012
- attack.t1098
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains: 'system'
CommandLine|contains|all:
- ' permission '
- ' set'
- 'Admin'
condition: selection
falsepositives:
- Legitimate administration activities
level: high
imProcessCreate
| where TargetProcessName endswith "/esxcli" and TargetProcessCommandLine contains "system" and (TargetProcessCommandLine contains " permission " and TargetProcessCommandLine contains " set" and TargetProcessCommandLine contains "Admin")Scenario: System administrator uses esxcli to assign admin permissions to a service account during a routine configuration update.
Filter/Exclusion: Check for the presence of known service accounts (e.g., root, vpxuser, vsphere.local\administrator) and exclude actions performed by these accounts.
Scenario: A scheduled job (e.g., vCenter Server maintenance script) runs esxcli to grant temporary admin permissions to a monitoring account for system health checks.
Filter/Exclusion: Exclude commands executed by scheduled tasks or scripts with known names (e.g., vCenterMaintenanceScript.sh), or filter by the source IP of the scheduled job.
Scenario: An IT support tool (e.g., vRealize Operations Manager) uses esxcli to configure a user account with admin privileges during an automated patching process.
Filter/Exclusion: Exclude commands executed by known IT management tools or during specific maintenance windows (e.g., patching_window_0200).
Scenario: A developer or DevOps team uses esxcli to grant admin access to a CI/CD pipeline account for automated deployment tasks.
Filter/Exclusion: Exclude commands executed by CI/CD tools (e.g., Jenkins, Ansible) or accounts associated with development environments (e.g., [email protected]).
Scenario: A security team uses esxcli to assign admin permissions to a temporary account for forensic analysis or incident response.
Filter/Exclusion: Exclude commands executed by security tools (e.g., Splunk, Mandiant) or accounts flagged as temporary or incident response-specific (e.g., [email protected]).