SSH Service Enabled On ESXi Host Via Vim-Cmd

Rule Info

Name
SSH Service Enabled On ESXi Host Via Vim-Cmd
Author
Nasreddine Bencherchali (Nextron Systems)
Description
Detects the execution of "vim-cmd" with the "hostsvc/enable_ssh" flag, in order to enable the SSH service on an ESXi host. If enabled, it allows a user to connect to the host remotely via SSH, to for perform command-line management and troubleshooting. In general VMware does not recommend enabling SSH on vSphere. Investigate the source of such execution and make sure it is legitimate.
Date
2024-08-14 00:00:00
Modified
None
Id
1d205898-fb5e-4a51-97b6-be7e220c9df0
Tags
attack.execution
Type
Nextron Sigma feed only (private)

Rule History