Skip to content
Threat Feed
medium advisory

ESXi Shell Enabled Detection

The ESXi Shell being enabled on a host may indicate malicious activity like preparing to execute commands locally or establishing persistent access.

This detection focuses on identifying when the ESXi Shell is enabled on a VMware ESXi host. Enabling the ESXi Shell outside of scheduled maintenance or approved troubleshooting activities can be indicative of malicious behavior. An attacker might enable the shell to gain local command execution, move laterally within the ESXi environment, or establish persistent access. The alert is triggered by analyzing syslog data generated by ESXi hosts, which needs to be properly configured and ingested into the security information and event management (SIEM) system. While legitimate administrators might enable the shell for troubleshooting, such instances should be rare and carefully monitored. The association with "ESXi Post Compromise" and "Black Basta Ransomware" analytic stories suggests the potential for this activity to precede or accompany more severe attacks.

Attack Chain

  1. Initial Compromise: The attacker gains initial access to the ESXi host, potentially through exploiting a vulnerability (not specified) or compromised credentials.
  2. Privilege Escalation (if needed): The attacker escalates privileges to an account capable of enabling the ESXi shell.
  3. ESXi Shell Enabled: The attacker enables the ESXi Shell, gaining local command-line access to the host. This action is logged in syslog.
  4. Reconnaissance: Using the ESXi Shell, the attacker performs reconnaissance to discover network configurations, stored credentials, and other ESXi hosts.
  5. Lateral Movement: The attacker leverages gathered credentials or exploits to move laterally to other ESXi hosts or virtual machines within the environment.
  6. Persistence: The attacker establishes persistence mechanisms within the ESXi host, such as creating malicious cron jobs or modifying startup scripts.
  7. Data Exfiltration or Encryption: The attacker exfiltrates sensitive data from virtual machines or deploys ransomware to encrypt virtual machine data.
  8. Impact: The attack results in data loss, system downtime, or financial loss due to ransomware demands.

Impact

Compromising an ESXi host can lead to severe consequences, including the loss of control over virtual machines, data breaches, and significant business disruption. The "ESXi Post Compromise" and "Black Basta Ransomware" analytic stories highlights the potential for this activity to lead to full-scale ransomware deployment. The lack of specific victim numbers or sector targeting makes it difficult to quantify the exact impact, but the criticality of ESXi hosts within an infrastructure suggests a high-impact scenario.

Recommendation

  • Configure ESXi hosts to forward syslog output to your SIEM as described in the "How to Implement" section of the source to enable detection.
  • Deploy the Sigma rule ESXi Shell Access Enabled to your SIEM and tune the esxi_shell_access_enabled_filter macro based on your environment to reduce false positives.
  • Investigate any instances where the ESXi Shell is enabled outside of approved maintenance windows by reviewing the logs identified by the ESXi Shell Access Enabled rule.
  • Monitor for unexpected processes or network connections originating from ESXi hosts to identify potential post-compromise activity using the Detect Outbound Connection from ESXi Host Sigma rule.
  • Implement multi-factor authentication for all ESXi host access to mitigate credential compromise during initial access (TA0001).

Detection coverage 2

ESXi Shell Access Enabled

medium

Detects when the ESXi Shell is enabled on a host via syslog messages.

sigma tactics: lateral_movement techniques: T1021 sources: syslog, vmware

Detect Outbound Connection from ESXi Host

medium

Detects outbound network connections initiated from ESXi host

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, vmware

Detection queries are available on the platform. Get full rules →