ESXi Firewall Default Action Set To Allow All Traffic via ESXCLI

Rule Info

Name
ESXi Firewall Default Action Set To Allow All Traffic via ESXCLI
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects when the ESXi firewall default action is changed to allow all traffic. Threat Actors may use this technique to all networks connection through firewall and facilitate their malicious operations.
Reference
https://vdc-download.vmware.com/vmwb-repository/dcr-public/a3c52c40-5c43-475a-8851-ba7828b4b004/05d0bff8-54b1-47ca-a4ff-c3c20ff6ba87/doc/esxcli_network.html
Date
2025-05-19 00:00:00
Modified
None
Id
950aace8-68d1-45d5-86b1-4b1d54e5f5e8
Tags
attack.execution attack.t1675 attack.defense-evasion attack.t1562.004
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022