VMware ESXi - Root password changed
| Id | 17b0ea43-5aeb-4dc4-ac3a-be84acb8d5b7 |
| Rulename | VMware ESXi - Root password changed |
| Description | Detects when root user password is changed. |
| Severity | High |
| Tactics | InitialAccess Persistence DefenseEvasion |
| Techniques | T1078 T1098 T1556 |
| Required data connectors | SyslogAma |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiRootPasswordChange.yaml |
| Version | 1.0.0 |
| Arm template | 17b0ea43-5aeb-4dc4-ac3a-be84acb8d5b7.json |
VMwareESXi
| where SyslogMessage has_any ("password changed for root","Password was changed for account root")
| extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)
requiredDataConnectors:
- datatypes:
- Syslog
connectorId: SyslogAma
queryPeriod: 10m
triggerThreshold: 0
queryFrequency: 10m
version: 1.0.0
status: Available
severity: High
description: |
'Detects when root user password is changed.'
name: VMware ESXi - Root password changed
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SrcIpAddr
entityType: IP
triggerOperator: gt
id: 17b0ea43-5aeb-4dc4-ac3a-be84acb8d5b7
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiRootPasswordChange.yaml
tactics:
- InitialAccess
- Persistence
- DefenseEvasion
relevantTechniques:
- T1078
- T1098
- T1556
kind: Scheduled
query: |
VMwareESXi
| where SyslogMessage has_any ("password changed for root","Password was changed for account root")
| extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)