ESXi sample data

datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: f4e7c8fc-c534-415b-9f99-9e9419096db5
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing attempts to access sensitive files on the ESXi system.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1003.008/esxi_sensitive_files/esxi_sensitive_files.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1003/008

datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 6cbe3ac7-510d-49ab-983e-7ee504d6f386
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing downloading of VMs from ESXi using remote tools."
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1005/esxi_vm_download/esxi_vm_download.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1005

datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 6bce52c9-2cd1-4916-be2d-7d6214bc5c98
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events ssh being enabled on the ESXi system.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021.004/esxi_ssh_enabled/esxi_ssh_enabled.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1021/004

datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 117b7a96-83f5-4de9-9394-be8997bc43f4
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing ESXi shell access being enabled.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1021/esxi_shell_enabled/esxi_shell_enabled.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1021

datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: cf946971-ec10-4792-a697-4b208bc42e7f
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing reverse shell attempts from the ESXi system.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059/esxi_reverse_shell/esxi_reverse_shell.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1059

datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: f8571084-93e7-46fc-ae37-7a22e81e57f3
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing manipulation of the system clock.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1070/esxi_system_clock_manipulation/esxi_system_clock_manipulation.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1070

datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: ebd8a8a8-e517-43d1-b744-a8260f18ef6e
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing root logins from an external system.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/esxi_external_root_login/esxi_external_root_login.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1078

datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: a61432b5-65c6-4509-b44a-3c176fa00d86
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing root logins from multple locations in quick succession.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078/esxi_stolen_root_account/esxi_stolen_root_account.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1078

datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 632f631d-6d62-4bc6-8b6b-c51a9134a016
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing attempts to enumerate system information.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1082/esxi_system_information/esxi_system_information.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1082

datasets/attack_techniques/T1098/esxi_account_modification/esxi_account_modified.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 7ebe0ae9-792a-4da1-aa7d-b338db54edfc
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing account manipulation of esxi account with malicious intent.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/esxi_account_modified/esxi_account_modified.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1098/

datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 6957528c-1167-469f-a982-d03dea0ff09e
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing account manipulation of esxi account to give it the admin role.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098/esxi_admin_role/esxi_admin_role.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1098/

datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 5c239f0f-ec10-4107-b6a0-c9228257e4b1
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing an ssh brute force attempt against an ESXi server.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110/esxi_ssh_brute_force/esxi_ssh_brute_force.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1110

datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 61568617-ad53-4998-b9aa-88d4114f5330
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing attempted forced installation of malicious VIBs'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1505.006/esxi_malicious_vib/esxi_malicious_vib_forced_install.yml
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1505/006

datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 2bbe8c66-7262-4e13-b9a0-9d521e5d6305
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing commands used for bulk termination of VMs.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1529/esxi_bulk_vm_termination/esxi_bulk_vm_termination.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1529

datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 1ca23917-04c2-41db-b31b-702bcd728737
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing tampering of audit settings.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_audit_tampering/esxi_audit_tampering.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562/003

datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 125f03ca-3a22-4bf7-bb02-4abd338b326e
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing attempts to modify the loghost configuration.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_loghost_config_tampering/esxi_loghost_config_tampering.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562/003

datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: c012bd08-cbdb-49b6-9a0d-acd51b1f1cca
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing attempts to modify the syslog configuration.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.003/esxi_syslog_config/esxi_syslog_config.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562/003

datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 39edc074-9898-4de9-8296-45c51b7e18dd
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing attempts to disable the firewall.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562.004/esxi_firewall_disabled/esxi_firewall_disabled.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562/004

datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 05d39cf3-abd8-46e3-b775-88935c28fffc
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing ESXi encryption settings being modified to impair defenses.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_encryption_modified/esxi_encryption_modified.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562

datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 98448462-9f32-47ef-ac24-844bb1c0f1c0
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing ESXi lockdown settings being modified to impair defenses.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_lockdown_disabled/esxi_lockdown_disabled.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562

datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 2440ce36-e445-4b34-8591-12afd1f8c884
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events showing modification to ESXi VIB acceptance levels."
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1562/esxi_vib_acceptance_level_tampering/esxi_vib_acceptance_level_tampering.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1562

datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: a398a202-5b62-4043-9286-647fde220dca
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing dormant VMs being activated.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1584/esxi_dormant_vm_started/esxi_dormant_vm_started.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1584

datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: 39edc074-9898-4de9-8296-45c51b7e18dd
+date: '2025-07-08'
+description: 'Sample of ESXi syslog events showing failed attempts to install malicious VIBs.'
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1601.001/esxi_download_errors/esxi_download_errors.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1601/001

datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.yml

@@ -0,0 +1,11 @@
+author: Raven Tait, Splunk
+id: d3f26d3a-3ae5-4e3d-a9b3-567622b6fb1d
+date: '2025-07-09'
+description: 'Sample of ESXi syslog events VM discovery commands."
+environment: custom
+dataset:
+- https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1673/esxi_vm_discovery/esxi_vm_discovery.log
+sourcetypes:
+- vmw-syslog
+references:
+- https://attack.mitre.org/techniques/T1673