From b0481bea135d2437a830d16c3d3328e782db4703 Mon Sep 17 00:00:00 2001
From: Koifman <9611126+Koifman@users.noreply.github.com>
Date: Wed, 21 May 2025 09:39:49 +0300
Subject: [PATCH] Merge PR #5393 from @Koifman - Update VMware rules for
 MITREv17

update: proc_creation_lnx_esxcli_vm_kill.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vsan_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_system_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_network_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_storage_discovery.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_syslog_config_change.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_user_account_creation.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_permission_change_admin.yml - updating MITRE to match v17
update: proc_creation_lnx_esxcli_vm_discovery.yml - updating MITRE to match v17

---------

Co-authored-by: Koifman <primeless42@gmail.com>
Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com>
---
 .../proc_creation_lnx_esxcli_network_discovery.yml             | 2 ++
 .../proc_creation_lnx_esxcli_permission_change_admin.yml       | 3 +++
 .../proc_creation_lnx_esxcli_storage_discovery.yml             | 2 ++
 .../proc_creation_lnx_esxcli_syslog_config_change.yml          | 2 ++
 .../proc_creation_lnx_esxcli_system_discovery.yml              | 2 ++
 .../proc_creation_lnx_esxcli_user_account_creation.yml         | 2 ++
 .../process_creation/proc_creation_lnx_esxcli_vm_discovery.yml | 2 ++
 .../process_creation/proc_creation_lnx_esxcli_vm_kill.yml      | 3 +++
 .../proc_creation_lnx_esxcli_vsan_discovery.yml                | 2 ++
 9 files changed, 20 insertions(+)

diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml
index e38284e6c..f21a6401a 100644
--- a/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_network_discovery.yml
@@ -9,8 +9,10 @@ author: Cedric Maurugeon
 date: 2023-09-04
 tags:
     - attack.discovery
+    - attack.execution
     - attack.t1033
     - attack.t1007
+    - attack.t1059.012
 logsource:
     category: process_creation
     product: linux
diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml
index 935355215..1219b5a07 100644
--- a/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_permission_change_admin.yml
@@ -8,6 +8,9 @@ author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023-09-04
 tags:
     - attack.execution
+    - attack.privilege-escalation
+    - attack.t1059.012
+    - attack.t1098
 logsource:
     category: process_creation
     product: linux
diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml
index ba8a14992..56e3faacb 100644
--- a/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml
@@ -10,8 +10,10 @@ author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
 date: 2023-09-04
 tags:
     - attack.discovery
+    - attack.execution
     - attack.t1033
     - attack.t1007
+    - attack.t1059.012
 logsource:
     category: process_creation
     product: linux
diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml
index 31fc23e03..d17a3a715 100644
--- a/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml
@@ -9,8 +9,10 @@ author: Cedric Maurugeon
 date: 2023-09-04
 tags:
     - attack.defense-evasion
+    - attack.execution
     - attack.t1562.001
     - attack.t1562.003
+    - attack.t1059.012
 logsource:
     category: process_creation
     product: linux
diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml
index 3774bc1fa..2f12e71b8 100644
--- a/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_system_discovery.yml
@@ -9,8 +9,10 @@ author: Cedric Maurugeon
 date: 2023-09-04
 tags:
     - attack.discovery
+    - attack.execution
     - attack.t1033
     - attack.t1007
+    - attack.t1059.012
 logsource:
     category: process_creation
     product: linux
diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml
index 569c45b89..c8cf5172e 100644
--- a/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_user_account_creation.yml
@@ -8,7 +8,9 @@ author: Cedric Maurugeon
 date: 2023-08-22
 tags:
     - attack.persistence
+    - attack.execution
     - attack.t1136
+    - attack.t1059.012
 logsource:
     category: process_creation
     product: linux
diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml
index 2c8002469..a79873a27 100644
--- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml
@@ -11,8 +11,10 @@ author: Cedric Maurugeon
 date: 2023-09-04
 tags:
     - attack.discovery
+    - attack.execution
     - attack.t1033
     - attack.t1007
+    - attack.t1059.012
 logsource:
     category: process_creation
     product: linux
diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml
index 386119003..5bbf95f2a 100644
--- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml
@@ -11,6 +11,9 @@ author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
 date: 2023-09-04
 tags:
     - attack.execution
+    - attack.impact
+    - attack.t1059.012
+    - attack.t1529
 logsource:
     category: process_creation
     product: linux
diff --git a/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml
index c0f07e128..0f7acbed1 100644
--- a/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml
+++ b/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml
@@ -10,8 +10,10 @@ author: Nasreddine Bencherchali (Nextron Systems), Cedric Maurugeon
 date: 2023-09-04
 tags:
     - attack.discovery
+    - attack.execution
     - attack.t1033
     - attack.t1007
+    - attack.t1059.012
 logsource:
     category: process_creation
     product: linux