Splunk

ESXi Reverse Shell Patterns

Last updated 2 days ago on 2026-07-17

About

This detection looks for reverse shell string patterns on an ESXi host, which may indicate that a threat actor is attempting to establish remote control over the system.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
False Positives
Limited false positives in most environments, however tune as needed.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`esxi_syslog` Message IN ("*bash -i >&*","*/dev/tcp/*","*/dev/udp/*", "*/socat exec:*","*socket(S,PF_INET*") OR (Message="*python -c*" AND Message="*import socket*") | rex field=_raw "Z (?<dest>[\w\.]+)\s" | stats min(_time) as firstTime max(_time) as lastTime count by dest Message | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `esxi_reverse_shell_patterns_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).