heroui logo

ESXi Firewall Disabled

Splunk Security Content

View Source
Summary
The detection rule identifies instances where the ESXi firewall on VMware hosts is either disabled or configured in a permissive mode, which may lead to unauthorized access and potential network-based attacks. This alteration is a significant security concern as it often precedes lateral movement by attackers, data exfiltration, and the deployment of malicious software. The rule employs syslog data generated by ESXi environments to pinpoint log entries indicating changes to the firewall status. By analyzing specified log messages, the detection not only captures the last and first timestamps of the events but also provides insights into the destinations impacted by such changes, thus allowing for proactive monitoring and incident response to prevent further exploitation.
Categories
  • Infrastructure
  • Cloud
  • Endpoint
Data Sources
  • Image
  • File
ATT&CK Techniques
  • T1562.004
Created: 2025-05-12