VMware ESXi - Root password changed
| Id | 17b0ea43-5aeb-4dc4-ac3a-be84acb8d5b7 |
| Rulename | VMware ESXi - Root password changed |
| Description | Detects when root user password is changed. |
| Severity | High |
| Tactics | InitialAccess Persistence DefenseEvasion |
| Techniques | T1078 T1098 T1556 |
| Required data connectors | SyslogAma |
| Kind | Scheduled |
| Query frequency | 10m |
| Query period | 10m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiRootPasswordChange.yaml |
| Version | 1.0.0 |
| Arm template | 17b0ea43-5aeb-4dc4-ac3a-be84acb8d5b7.json |
VMwareESXi
| where SyslogMessage has_any ("password changed for root","Password was changed for account root")
| extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)
version: 1.0.0
severity: High
query: |
VMwareESXi
| where SyslogMessage has_any ("password changed for root","Password was changed for account root")
| extend SrcIpAddr = extract(@'root@(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, SyslogMessage)
queryPeriod: 10m
status: Available
kind: Scheduled
tactics:
- InitialAccess
- Persistence
- DefenseEvasion
triggerOperator: gt
queryFrequency: 10m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/VMWareESXi/Analytic Rules/ESXiRootPasswordChange.yaml
entityMappings:
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
name: VMware ESXi - Root password changed
triggerThreshold: 0
description: |
'Detects when root user password is changed.'
id: 17b0ea43-5aeb-4dc4-ac3a-be84acb8d5b7
relevantTechniques:
- T1078
- T1098
- T1556
requiredDataConnectors:
- connectorId: SyslogAma
datatypes:
- Syslog