Detects suspicious use of ESXi native CLI tools like esxcli and vim-cmd by unauthorized users or outside expected maintenance windows. Focus is on actions such as stopping VMs, reconfiguring network/firewall settings, and enabling SSH or logging.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | esxi:vmkernel | esxcli, vim-cmd invocation |
| User Account Authentication (DC0002) | esxi:auth | SSH session/login |
| Field | Description |
|---|---|
| TimeWindow | Helps scope detection to off-hours or change control gaps. |
| UserContext | Environment-specific users may run these commands as part of normal ops. |
| CommandPattern | CLI commands vary by adversary intent (e.g., 'stop', 'reboot', 'firewall set') |