Splunk

ESXi Audit Tampering

Last updated 2 days ago on 2026-07-17

About

This detection identifies the use of the esxcli system auditrecords commands, which can be used to tamper with logging on an ESXi host. This action may indicate an attempt to evade detection or hinder forensic analysis by preventing the recording of system-level audit events.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://detect.fyi/detecting-and-responding-to-esxi-compromise-with-splunk-f33998ce7823(external, opens in a new tab or window)
False Positives
Limited false positives in most environments, however tune as needed.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`esxi_syslog` Message="*esxcli system auditrecords*" Message IN ("*remote*","*local*") NOT Message = "*[shell*" | rex field=_raw "Z (?<dest>[\w\.]+)\s" | rex field=_raw "[\w+]\]: (?<full_command>.*)" | rex field=full_command "\[(?<user>.*)]:\s(?<command>.*)" | stats min(_time) as firstTime max(_time) as lastTime count by dest user command | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_audit_tampering_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).