VMware

Multiple vulnerabilities in NetApp products, including CVE-2023-0482, CVE-2023-20863, CVE-2024-22257, CVE-2025-23367, CVE-2025-48976, CVE-2025-53816, and CVE-2025-53817, could lead to remote denial of service, data confidentiality breaches, and data integrity breaches.

This detection identifies instances where the ESXi UI is accessed using the root account instead of a delegated administrative user, which bypasses role-based access controls and may indicate risky behavior or unauthorized activity.

CVE-2023-22102 describes a vulnerability in NetApp Active IQ Unified Manager and OnCommand Insight that allows a remote attacker to execute arbitrary code.

A remote, anonymous attacker can exploit a vulnerability in VMware Tanzu Spring Framework to perform a denial of service attack.

A local attacker can exploit a vulnerability in VMware Tanzu Spring Security to manipulate files, potentially leading to privilege escalation.

A remote, anonymous attacker can exploit a vulnerability in VMware Tanzu Spring Framework to bypass security measures.

This rule detects suspicious Kerberos authentication ticket requests by correlating network connections to the standard Kerberos port (88) from a source machine with a Kerberos authentication ticket request from the target domain controller, which could indicate lateral movement or credential access attempts within a Windows domain.

Multiple vulnerabilities in VMware Tanzu Spring Cloud Config could allow an attacker to disclose sensitive information or manipulate data.

VECT 2.0 ransomware, a RaaS offering, permanently destroys large files due to an encryption flaw, discarding decryption nonces for files above 128 KB, rendering them unrecoverable and effectively acting as a wiper; it uses raw ChaCha20-IETF with no authentication.

Broadcom released a security advisory addressing critical vulnerabilities in VMware Tanzu Data Lake (versions prior to 4.0.0) and VMware Tanzu Greenplum Platform Extension Framework (versions prior to 8.0.0), requiring immediate patching to prevent potential exploitation.

Multiple vulnerabilities in VMware Tanzu Spring Boot allow attackers to execute arbitrary code, bypass security measures, manipulate or disclose sensitive data, or hijack authenticated users.

Adversaries may establish persistence by abusing the Windows Installer (msiexec.exe) to create scheduled tasks or modify registry run keys, allowing for malicious code execution upon system startup or user logon.

Detection of processes loading Mozilla NSS/Mozglue libraries (mozglue.dll, nss3.dll) outside of known Mozilla applications, potentially indicating malware or unauthorized activity.

Detection of unsigned or untrusted DLLs being loaded into the LSASS process, which is indicative of credential access attempts by adversaries aiming to steal sensitive information such as user passwords.

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.

This detection identifies changes to the VIB (vSphere Installation Bundle) acceptance level on an ESXi host, potentially allowing the installation of unsigned or unverified software and lowering the system's integrity enforcement.

Detection of ESXi syslog configuration changes via esxcli command, potentially indicating an attempt to disrupt logging and evade detection.

This detection identifies when the ESXi firewall is disabled or set to permissive mode, potentially exposing the host to unauthorized access and network-based attacks, often preceding lateral movement, data exfiltration, or malware installation.

Detection of modifications to ESXi host encryption settings, such as disabling secure boot or executable verification, which may indicate attempts to weaken hypervisor integrity and allow unauthorized code execution.

Detection of failed file download attempts on ESXi hosts, potentially indicating unauthorized or malicious activity such as installing or updating components, including VIBs or scripts.

Detection identifies the use of the esxcli system auditrecords commands to tamper with logging on an ESXi host, potentially evading detection and hindering forensic analysis.

Adversaries may establish persistence by registering and enabling a malicious DLL as a time provider by modifying registry keys associated with the W32Time service.

Detection of LSASS loading an unsigned or untrusted DLL, which can indicate credential access attempts by malicious actors targeting sensitive information stored in the LSASS process.

An attacker modifies the ESXi host's syslog configuration to disrupt log forwarding, potentially evading detection and hindering incident response.

The disabling of Lockdown Mode on an ESXi host may indicate a threat actor attempting to weaken host security controls to enable broader remote access for data exfiltration, lateral movement, or VM tampering.