ESXi User Granted Administrator Role
A user being granted the Administrator role on an ESXi host is a critical action that can indicate potential malicious behavior, as adversaries may use this to escalate privileges, maintain persistence, or disable security controls.
The granting of administrator privileges on an ESXi host is a significant security event. While legitimate administrator actions can trigger this, it also serves as a red flag for potential malicious activity. After gaining initial access, an attacker may attempt to escalate their privileges to gain control over the ESXi host. The adversary might leverage this elevated access to maintain persistence, disable security controls, or conduct further malicious actions within the virtualized environment. This activity is often seen post-compromise and has been observed in ransomware attacks such as Black Basta. Defenders should monitor for unexpected or unauthorized privilege escalations on ESXi hosts.
Attack Chain
- Initial Access: Adversary gains unauthorized access to a user account on the ESXi host through credential compromise or other means.
- Discovery: The attacker performs reconnaissance to identify existing user accounts and their assigned roles on the ESXi host. They may use commands like
esxcli system permission listto enumerate user permissions. - Privilege Escalation: The attacker attempts to grant the Administrator role to a compromised or newly created user account. They may use the
esxcli system permission setcommand with therole Adminparameter. - Persistence: The attacker leverages the newly acquired Administrator privileges to establish persistence mechanisms, such as creating new user accounts with elevated permissions or modifying system configurations to ensure continued access.
- Defense Evasion: The adversary might attempt to disable or modify security controls, such as disabling logging or altering firewall rules, to evade detection.
- Lateral Movement: Using the compromised ESXi host as a pivot point, the attacker may attempt to move laterally to other systems or virtual machines within the environment.
- Impact: The adversary leverages the compromised ESXi host and elevated privileges to achieve their objectives, such as data exfiltration, ransomware deployment, or disruption of services.
Impact
Compromise of an ESXi host and subsequent privilege escalation can have severe consequences. An attacker with Administrator privileges can control the entire virtualized environment, potentially leading to data breaches, system outages, and financial losses. This could affect hundreds or thousands of virtual machines, depending on the size and scope of the organization's virtual infrastructure. The Black Basta ransomware group has been observed targeting ESXi infrastructure, highlighting the potential for significant impact.
Recommendation
- Configure ESXi hosts to forward syslog output to a SIEM or log management solution for centralized monitoring. Reference:
VMWare ESXi Syslogdata source. - Deploy the Sigma rule
ESXi User Granted Admin Roleto your SIEM to detect instances of users being granted the Administrator role on ESXi hosts. - Investigate any alerts generated by the Sigma rule, focusing on identifying the source of the privilege escalation and the potential impact on the environment. Reference:
ESXi User Granted Admin RoleSigma rule. - Review user account permissions on ESXi hosts regularly to identify and remove any unnecessary or excessive privileges.
- Monitor for suspicious commands executed on ESXi hosts using
esxcli, particularly those related to user management and permission changes.
Detection coverage 2
ESXi User Granted Admin Role
highDetects when a user is granted the Administrator role on an ESXi host.
ESXi User Modified Permissions
mediumDetects when a user's permissions are modified on an ESXi host.
Detection queries are available on the platform. Get full rules →