ESXi SSH Enabled Detection
The enabling of SSH on ESXi hosts, as detected in ESXi Syslog, can signal malicious lateral movement by threat actors aiming for persistent access.
This detection identifies when SSH is enabled on VMware ESXi hosts. While SSH can be used legitimately for administrative purposes, its enablement can also be an early warning sign of malicious activity. Attackers might enable SSH to establish persistent remote access following a successful compromise, whether through credential theft, vulnerability exploitation, or other means. This access can then be leveraged for lateral movement, data exfiltration, or other malicious objectives, particularly in ransomware campaigns. The detection uses ESXi syslog data to identify the specific events associated with SSH enablement.
Attack Chain
- Initial compromise of a host within the ESXi environment using an unpatched vulnerability or credential compromise.
- Establish initial foothold and perform reconnaissance of the ESXi environment.
- Elevate privileges on the compromised host, if necessary, to enable SSH.
- Enable SSH access on the ESXi host using the ESXi command-line interface or vSphere client.
- Attacker uses SSH to move laterally within the ESXi environment, accessing other hosts or virtual machines.
- Install malware or tools for data exfiltration or other malicious activities.
- Encrypt virtual machines and demand ransom, characteristic of ransomware attacks.
- Maintain persistent access through SSH to reinfect the environment after recovery attempts.
Impact
Enabling SSH on ESXi hosts by unauthorized actors allows for lateral movement within the virtualized environment. This can lead to the compromise of critical virtual machines, data exfiltration, and potentially a complete ransomware attack. Successfully exploiting this vulnerability can result in significant financial loss, data breach, and reputational damage. The ESXi Post Compromise analytic story highlights the importance of detecting anomalous SSH activity in preventing broader compromise.
Recommendation
- Configure ESXi systems to forward syslog output to a SIEM to capture the required logs for detection (VMWare ESXi Syslog).
- Deploy the Sigma rule
ESXi SSH Enabled Detectionto your SIEM and tune the filter list for false positives specific to your environment. - Investigate any detected SSH enablement events on ESXi hosts immediately to determine if the activity is authorized.
- Review and enforce strict access control policies for ESXi hosts to prevent unauthorized SSH access (T1021.004).
Detection coverage 2
ESXi SSH Enabled Detection
mediumDetects SSH being enabled on ESXi hosts via syslog messages, which may indicate unauthorized access and potential malicious activity.
ESXi SSH Enabled - Destination Extraction
infoExtracts the destination host from ESXi SSH enabled syslog messages.
Detection queries are available on the platform. Get full rules →