Modification of ESXi Welcome Message via ESXCLI

Rule Info

Name
Modification of ESXi Welcome Message via ESXCLI
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects attempts to modify the ESXi welcome message using the ESXCLI command. Unauthorized changes to the welcome message may indicate malicious activity, such as defacement or the display of ransomware messages left by threat actors.
Reference
https://lolesxi-project.github.io/LOLESXi/lolesxi/Binaries/esxcli/#change%20display%20information
Date
2025-05-19 00:00:00
Modified
None
Id
f1f90953-c942-40b5-bc72-6c877d4579cb
Tags
attack.execution attack.t1675 attack.impact attack.t1491.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022