Splunk

ESXi Shared or Stolen Root Account

Last updated 2 days ago on 2026-07-17

About

This detection monitors for signs of a shared or potentially compromised root account on ESXi hosts by tracking the number of unique IP addresses logging in as root within a short time window. Multiple logins from different IPs in a brief period may indicate credential misuse, lateral movement, or account compromise.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://detect.fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823(external, opens in a new tab or window)
False Positives
Limited false positives in most environments, however tune as needed
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`esxi_syslog` Message="*root*" Message="*logged in*" NOT Message="*root@127.0.0.1*" | rex field=_raw "root@(?<SrcIpAddr>\d{1,3}(?:\.\d{1,3}){3})" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | bin _time span=15m | stats min(_time) as firstTime max(_time) as lastTime dc(SrcIpAddr) AS distinct_ip_count values(SrcIpAddr) AS SrcIps by dest | where distinct_ip_count > 1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_shared_or_stolen_root_account_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).