Skip to content
Threat Feed
high advisory

ESXi User Granted Administrator Role

A user being granted the Administrator role on an ESXi host is a critical action that can indicate potential malicious behavior, as adversaries may use this to escalate privileges, maintain persistence, or disable security controls.

The granting of administrator privileges on an ESXi host is a significant security event. While legitimate administrator actions can trigger this, it also serves as a red flag for potential malicious activity. After gaining initial access, an attacker may attempt to escalate their privileges to gain control over the ESXi host. The adversary might leverage this elevated access to maintain persistence, disable security controls, or conduct further malicious actions within the virtualized environment. This activity is often seen post-compromise and has been observed in ransomware attacks such as Black Basta. Defenders should monitor for unexpected or unauthorized privilege escalations on ESXi hosts.

Attack Chain

  1. Initial Access: Adversary gains unauthorized access to a user account on the ESXi host through credential compromise or other means.
  2. Discovery: The attacker performs reconnaissance to identify existing user accounts and their assigned roles on the ESXi host. They may use commands like esxcli system permission list to enumerate user permissions.
  3. Privilege Escalation: The attacker attempts to grant the Administrator role to a compromised or newly created user account. They may use the esxcli system permission set command with the role Admin parameter.
  4. Persistence: The attacker leverages the newly acquired Administrator privileges to establish persistence mechanisms, such as creating new user accounts with elevated permissions or modifying system configurations to ensure continued access.
  5. Defense Evasion: The adversary might attempt to disable or modify security controls, such as disabling logging or altering firewall rules, to evade detection.
  6. Lateral Movement: Using the compromised ESXi host as a pivot point, the attacker may attempt to move laterally to other systems or virtual machines within the environment.
  7. Impact: The adversary leverages the compromised ESXi host and elevated privileges to achieve their objectives, such as data exfiltration, ransomware deployment, or disruption of services.

Impact

Compromise of an ESXi host and subsequent privilege escalation can have severe consequences. An attacker with Administrator privileges can control the entire virtualized environment, potentially leading to data breaches, system outages, and financial losses. This could affect hundreds or thousands of virtual machines, depending on the size and scope of the organization's virtual infrastructure. The Black Basta ransomware group has been observed targeting ESXi infrastructure, highlighting the potential for significant impact.

Recommendation

  • Configure ESXi hosts to forward syslog output to a SIEM or log management solution for centralized monitoring. Reference: VMWare ESXi Syslog data source.
  • Deploy the Sigma rule ESXi User Granted Admin Role to your SIEM to detect instances of users being granted the Administrator role on ESXi hosts.
  • Investigate any alerts generated by the Sigma rule, focusing on identifying the source of the privilege escalation and the potential impact on the environment. Reference: ESXi User Granted Admin Role Sigma rule.
  • Review user account permissions on ESXi hosts regularly to identify and remove any unnecessary or excessive privileges.
  • Monitor for suspicious commands executed on ESXi hosts using esxcli, particularly those related to user management and permission changes.

Detection coverage 2

ESXi User Granted Admin Role

high

Detects when a user is granted the Administrator role on an ESXi host.

sigma tactics: privilege_escalation techniques: T1078, T1098 sources: syslog, vmware

ESXi User Modified Permissions

medium

Detects when a user's permissions are modified on an ESXi host.

sigma tactics: privilege_escalation techniques: T1078, T1098 sources: syslog, vmware

Detection queries are available on the platform. Get full rules →