Splunk

ESXi Shell Access Enabled

Last updated 2 days ago on 2026-07-17

About

This detection identifies when the ESXi Shell is enabled on a host, which may indicate that a malicious actor is preparing to execute commands locally or establish persistent access. Enabling the shell outside of approved maintenance windows can be a sign of compromise or unauthorized administrative activity.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
False Positives
Limited false positives in most environments, however tune as needed. Some Administrators may enable this for troubleshooting.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`esxi_syslog` Message="*ESXi Shell*" Message="*has been enabled*" | rex field=_raw "'(?<user>\w+)@" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by dest user Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_shell_access_enabled_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).