ESXi Syslog Directory Change to TMP via ESXCLI

Rule Info

Name
ESXi Syslog Directory Change to TMP via ESXCLI
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the use of the ESXCLI command to change the syslog logs directory to /tmp in an ESXi environment. It is likely an attempt to disable logging by redirecting syslog logs to a temporary directory.
Reference
https://unit42.paloaltonetworks.com/threat-assessment-howling-scorpius-akira-ransomware/
Date
2025-05-19 00:00:00
Modified
None
Id
b814186c-e1e3-4bdd-94cc-f05d11ea3b49
Tags
attack.execution attack.t1675 attack.defense-evasion attack.t1562
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022