Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. VMware ESXi - Root password changed

VMware ESXi - Root password changed

Back
Id17b0ea43-5aeb-4dc4-ac3a-be84acb8d5b7
RulenameVMware ESXi - Root password changed
DescriptionDetects when root user password is changed.
SeverityHigh
TacticsInitialAccess
Persistence
DefenseEvasion
TechniquesT1078
T1098
T1556
Required data connectorsSyslogAma
KindScheduled
Query frequency10m
Query period10m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiRootPasswordChange.yaml
Version1.0.0
Arm template17b0ea43-5aeb-4dc4-ac3a-be84acb8d5b7.json
Deploy To Azure
VMwareESXi
| where SyslogMessage has_any ("password changed for root","Password was changed for account root")
| extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)

relevantTechniques:
- T1078
- T1098
- T1556
severity: High
queryFrequency: 10m
triggerOperator: gt
name: VMware ESXi - Root password changed
requiredDataConnectors:
- connectorId: SyslogAma
  datatypes:
  - Syslog
triggerThreshold: 0
tactics:
- InitialAccess
- Persistence
- DefenseEvasion
id: 17b0ea43-5aeb-4dc4-ac3a-be84acb8d5b7
entityMappings:
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
kind: Scheduled
status: Available
description: |
    'Detects when root user password is changed.'
query: |
  VMwareESXi
  | where SyslogMessage has_any ("password changed for root","Password was changed for account root")
  | extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)  
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiRootPasswordChange.yaml
queryPeriod: 10m