Splunk

ESXi Account Modified

Last updated 2 days ago on 2026-07-17

About

This detection identifies the creation, deletion, or modification of a local user account on an ESXi host. This activity may indicate unauthorized access, indicator removal, or persistence attempts by an attacker seeking to establish or maintain control of the host.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://detect.fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823(external, opens in a new tab or window)
False Positives
New local accounts being created in ESXi is rare in most environments. Tune as needed.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`esxi_syslog` Message="*esxcli system account*" Message IN ("*-i *","*--id*") NOT Message="*[shell*" | rex field=_raw "Z (?<dest>[\w\.]+)\s.*: \[(?<initial_user>\w+)]:\s.+-i[d]*\s(?<modified_user>[\w_\-0-9]+)" | stats min(_time) as firstTime max(_time) as lastTime count by dest initial_user modified_user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_account_modified_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).