GitHub Repo

Analytics Story: ESXi Post Compromise

Updated Date: 2026-05-13 ID: 25f5b685-adfe-4914-9105-83ebc152cecf Author: Raven Tait, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections for malicous activity on VMware ESXi. Adversaries who gain access to an ESXi shell or exploit management interfaces may attempt to maintain persistence, disrupt virtual machines, modify security settings, or prepare for lateral movement.

Why it matters

Ransomware groups have been observed abusing ESXi to deploy malware and encrypt virtual machines. This story focuses on detecting potential post-compromise activities. It aims to help defenders identify and respond to attacks on ESXi systems in their environments.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
ESXi Reverse Shell Patterns Command and Scripting Interpreter TTP
ESXi VM Discovery Virtual Machine Discovery TTP
ESXi Shell Access Enabled Remote Services TTP
ESXi Loghost Config Tampering Disable or Modify Tools TTP
ESXi Syslog Config Change Prevent Command History Logging TTP
ESXi Shared or Stolen Root Account Valid Accounts Anomaly
ESXi User Granted Admin Role Valid Accounts, Account Manipulation TTP
ESXi Malicious VIB Forced Install vSphere Installation Bundles TTP
ESXi Download Errors Patch System Image, Disable or Modify Tools Anomaly
ESXi VIB Acceptance Level Tampering Disable or Modify Tools TTP
ESXi Bulk VM Termination Endpoint Denial of Service, System Shutdown/Reboot, Virtual Machine Discovery TTP
ESXi System Clock Manipulation Timestomp TTP
ESXi SSH Brute Force Brute Force Anomaly
ESXi Sensitive Files Accessed /etc/passwd and /etc/shadow, Data from Local System TTP
ESXi External Root Login Activity Valid Accounts Anomaly
ESXi Encryption Settings Modified Disable or Modify Tools TTP
Windows Suspicious VMWare Tools Child Process Command and Scripting Interpreter TTP
ESXi Firewall Disabled Disable or Modify System Firewall TTP
ESXi VM Exported via Remote Tool Data from Local System TTP
ESXi System Information Discovery System Information Discovery TTP
ESXi Lockdown Mode Disabled Disable or Modify Tools TTP
ESXi Account Modified Valid Accounts, Account Manipulation, Local Account Anomaly
ESXi Audit Tampering Indicator Removal, Prevent Command History Logging TTP
ESXi SSH Enabled SSH TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
VMWare ESXi Syslog Other vmw-syslog vmware:esxlog
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 2