Root_login — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/root_login/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 28 May 2026 18:00:48 +0000ESXi External Root Login Detectionhttps://feed.craftedsignal.io/briefs/2026-05-esxi-root-login/Thu, 28 May 2026 18:00:48 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-esxi-root-login/This detection identifies instances where the ESXi UI is accessed using the root account instead of a delegated administrative user, which bypasses role-based access controls and may indicate risky behavior or unauthorized activity.This detection identifies instances where the ESXi UI is accessed using the root account instead of a delegated administrative user. Direct root access to the UI bypasses role-based access controls and auditing practices, and may indicate risky behavior, misconfiguration, or unauthorized activity by a malicious actor using compromised credentials. This activity is considered anomalous because routine ESXi administration should occur via delegated accounts, not the root account directly. The alert logic searches ESXi Syslog data for specific login events related to the root user originating from external IPs.

Attack Chain

  1. An attacker gains unauthorized access to the network where the ESXi host is located, potentially through phishing or exploiting a vulnerability in a network-connected service.
  2. The attacker attempts to directly log into the ESXi UI using the root account, potentially through brute-force or credential stuffing attacks, if they have obtained credentials.
  3. The ESXi host logs the successful root login attempt in the syslog. The log message includes the source IP address of the connection and the destination ESXi host.
  4. The attacker leverages root privileges to enumerate virtual machines, datastores, and network configurations.
  5. The attacker modifies virtual machine configurations, such as disabling security features or gaining access to sensitive data.
  6. The attacker may deploy malicious software or scripts to the ESXi host or guest virtual machines to establish persistence or further compromise the environment.
  7. The attacker may attempt to move laterally to other systems within the network using the compromised ESXi host as a pivot point.

Impact

Successful exploitation can lead to a complete compromise of the ESXi host and the virtual machines it manages. This can result in data theft, service disruption, or the deployment of ransomware. Organizations relying on ESXi infrastructure could face significant financial losses and reputational damage. The attack is especially impactful in environments where ESXi hosts manage critical workloads or sensitive data.

Recommendation

  • Configure ESXi systems to forward syslog output to your SIEM to enable the detections.
  • Install the Splunk Technology Add-on for VMware ESXi Logs for proper field extraction (see how_to_implement).
  • Tune the provided Sigma rule ESXi External Root Login Activity to filter out legitimate root login activity in your environment (see falsepositives).
  • Investigate any alerts generated by the ESXi External Root Login Activity rule to determine the source and intent of the root login attempt.
  • Monitor for unexpected changes to virtual machine configurations or the deployment of suspicious software on ESXi hosts.
  • Consider implementing multi-factor authentication for all ESXi accounts, including the root account.
]]>mediumadvisoryesxivmwareroot_loginprivilege_escalation