{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/root_login/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["esxi","vmware","root_login","privilege_escalation"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eThis detection identifies instances where the ESXi UI is accessed using the root account instead of a delegated administrative user. Direct root access to the UI bypasses role-based access controls and auditing practices, and may indicate risky behavior, misconfiguration, or unauthorized activity by a malicious actor using compromised credentials. This activity is considered anomalous because routine ESXi administration should occur via delegated accounts, not the root account directly. The alert logic searches ESXi Syslog data for specific login events related to the root user originating from external IPs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains unauthorized access to the network where the ESXi host is located, potentially through phishing or exploiting a vulnerability in a network-connected service.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to directly log into the ESXi UI using the root account, potentially through brute-force or credential stuffing attacks, if they have obtained credentials.\u003c/li\u003e\n\u003cli\u003eThe ESXi host logs the successful root login attempt in the syslog. The log message includes the source IP address of the connection and the destination ESXi host.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages root privileges to enumerate virtual machines, datastores, and network configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies virtual machine configurations, such as disabling security features or gaining access to sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may deploy malicious software or scripts to the ESXi host or guest virtual machines to establish persistence or further compromise the environment.\u003c/li\u003e\n\u003cli\u003eThe attacker may attempt to move laterally to other systems within the network using the compromised ESXi host as a pivot point.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a complete compromise of the ESXi host and the virtual machines it manages. This can result in data theft, service disruption, or the deployment of ransomware. Organizations relying on ESXi infrastructure could face significant financial losses and reputational damage. The attack is especially impactful in environments where ESXi hosts manage critical workloads or sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure ESXi systems to forward syslog output to your SIEM to enable the detections.\u003c/li\u003e\n\u003cli\u003eInstall the Splunk Technology Add-on for VMware ESXi Logs for proper field extraction (see \u003ccode\u003ehow_to_implement\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rule \u003ccode\u003eESXi External Root Login Activity\u003c/code\u003e to filter out legitimate root login activity in your environment (see \u003ccode\u003efalsepositives\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eESXi External Root Login Activity\u003c/code\u003e rule to determine the source and intent of the root login attempt.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected changes to virtual machine configurations or the deployment of suspicious software on ESXi hosts.\u003c/li\u003e\n\u003cli\u003eConsider implementing multi-factor authentication for all ESXi accounts, including the root account.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T18:00:48Z","date_published":"2026-05-28T18:00:48Z","id":"https://feed.craftedsignal.io/briefs/2026-05-esxi-root-login/","summary":"This detection identifies instances where the ESXi UI is accessed using the root account instead of a delegated administrative user, which bypasses role-based access controls and may indicate risky behavior or unauthorized activity.","title":"ESXi External Root Login Detection","url":"https://feed.craftedsignal.io/briefs/2026-05-esxi-root-login/"}],"language":"en","title":"CraftedSignal Threat Feed — Root_login","version":"https://jsonfeed.org/version/1.1"}