Adversaries may modify ESXi syslog configuration via ESXCLI to suppress or alter log data, masking their presence and exfiltrating information. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential log tampering and early signs of persistent threats.
Detection Rule
title: ESXi Syslog Configuration Change Via ESXCLI
id: 38eb1dbb-011f-40b1-a126-cf03a0210563
status: test
description: Detects changes to the ESXi syslog configuration via "esxcli"
references:
- https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US
- https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_system.html
author: Cedric Maurugeon
date: 2023-09-04
tags:
- attack.defense-evasion
- attack.execution
- attack.t1562.001
- attack.t1562.003
- attack.t1059.012
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith: '/esxcli'
CommandLine|contains|all:
- 'system'
- 'syslog'
- 'config'
CommandLine|contains: ' set'
condition: selection
falsepositives:
- Legitimate administrative activities
level: medium
imProcessCreate
| where TargetProcessName endswith "/esxcli" and (TargetProcessCommandLine contains "system" and TargetProcessCommandLine contains "syslog" and TargetProcessCommandLine contains "config") and TargetProcessCommandLine contains " set"Scenario: System Administrator Updates Syslog Server Configuration via esxcli
Description: A system administrator manually updates the syslog server configuration using the esxcli system syslog config set command as part of routine network monitoring setup.
Filter/Exclusion: Check for the presence of a known admin user (e.g., root, vsphere.local\administrator) and filter out changes made by users with elevated privileges during scheduled maintenance windows.
Scenario: Scheduled Job Updates Syslog Configuration for Log Aggregation
Description: A scheduled job (e.g., via vCenter Server or a third-party log management tool like Splunk or ELK) updates the ESXi syslog configuration to direct logs to a centralized log aggregation system.
Filter/Exclusion: Include a filter for job IDs or task names associated with log aggregation tools, and exclude changes made by known automation tools or scheduled tasks.
Scenario: ESXi Host Reboot or System Update Triggers Syslog Configuration Reset
Description: After a reboot or system update, the ESXi host may reset its syslog configuration to default settings, which could be flagged as a change.
Filter/Exclusion: Exclude events that occur immediately after a host reboot or system update, using timestamps or correlation with system event logs (e.g., system.reboot or system.update).
Scenario: ESXi Host Group Policy Applied via vSphere Client
Description: A system administrator applies a group policy via the vSphere Client that modifies the syslog configuration across multiple ESXi hosts.
Filter/Exclusion: Filter by the source IP or user agent of the vSphere Client, and exclude changes made during policy application that are known to be part of standard configuration management practices.
Scenario: ESXi Host Configuration Backup and Restore
Description: A backup and restore operation (e.g.,