Skip to content
Threat Feed
high advisory

ESXi Encryption Settings Modified

Attackers modify ESXi host encryption settings, such as disabling secure boot or executable verification, to weaken hypervisor integrity and enable unauthorized code execution.

This threat involves the modification of encryption settings on VMware ESXi hosts, potentially by an attacker seeking to weaken the hypervisor's security posture. The modifications specifically target settings related to encryption enforcement, such as disabling secure boot requirements or executable verification. These changes can allow unauthorized code execution and compromise the integrity of the virtualized environment. The attack targets VMware ESXi systems and the activity is detected by monitoring ESXi syslog data for specific configuration changes related to encryption. This attack matters because it undermines the foundational security of the virtualized infrastructure, potentially granting attackers privileged access to guest virtual machines and sensitive data.

Attack Chain

  1. Initial Access: The attacker gains initial access to the ESXi host, possibly through exploiting vulnerabilities, weak credentials, or other means.
  2. Privilege Escalation: The attacker escalates privileges to gain the necessary permissions to modify ESXi host configuration settings.
  3. Configuration File Access: The attacker accesses the ESXi host configuration files where encryption settings are stored.
  4. Secure Boot Modification: The attacker disables or modifies the secure boot settings to bypass integrity checks during system startup. This involves manipulating the esx.conf file or using command-line tools.
  5. Executable Verification Bypass: The attacker disables the requirement for executable verification, allowing unsigned or malicious code to execute on the ESXi host.
  6. Encryption Setting Modification: The attacker uses ESXi command-line tools (e.g., esxcfg-advcfg, vim-cmd) to directly modify the encryption settings. The commands might involve parameters like -s, -e, --require-secure-boot, require-exec-installed-only, or execInstalledOnly to disable encryption-related features.
  7. Persistence: The attacker establishes persistence by ensuring the modified settings persist across reboots.
  8. Lateral Movement and Impact: The attacker leverages the compromised ESXi host to move laterally within the virtualized environment, potentially gaining access to sensitive data or deploying ransomware.

Impact

Successful modification of ESXi encryption settings allows attackers to bypass security controls and execute unauthorized code within the virtualized environment. This can lead to the compromise of virtual machines, data exfiltration, or the deployment of ransomware. The "Black Basta Ransomware" analytic story indicates this technique is used by that group. This can impact all sectors utilizing VMware ESXi for their infrastructure, including cloud providers and enterprise data centers.

Recommendation

  • Enable Syslog forwarding from VMware ESXi hosts to a SIEM to collect the necessary log data and install the Splunk Technology Add-on for VMware ESXi Logs to properly parse the data, as mentioned in the "How to Implement" section.
  • Deploy the provided Sigma rule to detect modifications to ESXi encryption settings based on specific keywords in the syslog messages.
  • Investigate any alerts generated by the Sigma rule and review the associated ESXi host configuration for unauthorized changes.
  • Utilize the provided drilldown searches to pivot from detected events to related risk events and host details.

Detection coverage 2

ESXi Encryption Settings Modified via CLI

high

Detects the modification of ESXi encryption settings via command-line interface by monitoring for specific command parameters in syslog messages.

sigma tactics: defense_evasion, privilege_escalation techniques: T1562 sources: syslog, vmware

ESXi Encryption Settings Modified - User and Command

medium

Detects ESXi encryption settings modification, extracting the user and command used.

sigma tactics: defense_evasion, privilege_escalation techniques: T1562 sources: syslog, vmware

Detection queries are available on the platform. Get full rules →