{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/actors/black-basta/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Black Basta","BlackBasta","UNC4393"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ESXi"],"_cs_severities":["high"],"_cs_tags":["esxi","syslog","vmware","defense-evasion","black-basta"],"_cs_type":"threat","_cs_vendors":["VMware"],"content_html":"\u003cp\u003eThis threat brief addresses the modification of syslog configurations on ESXi hosts, a tactic frequently employed to disable or redirect logging and evade detection. The activity is detected through the use of \u003ccode\u003eesxcli\u003c/code\u003e commands altering syslog settings. This is a known technique used by threat actors like the Black Basta ransomware group to hinder incident response and forensic analysis. This activity specifically targets VMware ESXi environments and aims to compromise the integrity of security logs, creating blind spots for defenders. The ability to manipulate system logging is a critical step in a larger attack campaign, as it allows threat actors to operate with less visibility.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the ESXi host, potentially through exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain administrative access to the ESXi host.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker uses commands to enumerate the current syslog configuration.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker uses \u003ccode\u003eesxcli\u003c/code\u003e to modify the syslog configuration, redirecting logs or disabling them entirely. This command will contain \u0026quot;syslog config set\u0026quot; and \u0026quot;esxcli\u0026quot;.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker may configure the changes to persist through reboots, further hindering detection.\u003c/li\u003e\n\u003cli\u003eLateral Movement: With logging disabled, the attacker moves laterally within the environment to compromise additional systems.\u003c/li\u003e\n\u003cli\u003eData Encryption: The attacker deploys ransomware, encrypting critical data on the compromised ESXi hosts.\u003c/li\u003e\n\u003cli\u003eExfiltration/Ransom: The attacker may exfiltrate data before encryption and demand a ransom for decryption keys and to prevent data release.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of ESXi syslog configurations allows attackers to operate undetected within the environment. This can lead to prolonged dwell time, increased data exfiltration, and widespread ransomware deployment. Organizations that fail to detect this activity are at significant risk of suffering a major security incident, resulting in data loss, financial damage, and reputational harm. The ESXi Post Compromise analytic story highlights the potential impact of this attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure your ESXi systems to forward syslog output to your Splunk deployment, as required by the \u0026quot;how_to_implement\u0026quot; section of the original detection.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect ESXi syslog configuration changes and tune them for your specific environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the user and destination involved in the configuration change.\u003c/li\u003e\n\u003cli\u003eReview the analytic story \u0026quot;ESXi Post Compromise\u0026quot; to identify related attack patterns and improve overall detection capabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-esxi-syslog-config-change/","summary":"Detection of ESXi syslog configuration changes using esxcli, potentially indicating an attempt to disrupt logging and evade detection, with known association to Black Basta ransomware.","title":"ESXi Syslog Configuration Change via esxcli","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-syslog-config-change/"}],"language":"en","title":"CraftedSignal Threat Feed - Black Basta","version":"https://jsonfeed.org/version/1.1"}