Skip to content
Threat Feed
high advisory

ESXi System Clock Manipulation for Evasion

An attacker manipulates the system clock on an ESXi host to potentially evade detection, disrupt logging, or invalidate security controls, as seen in ESXi Post Compromise scenarios and Black Basta ransomware incidents.

Attackers may manipulate the system clock on ESXi hosts to hinder forensic investigations, bypass time-based security controls, or disrupt scheduled tasks. This technique is associated with ESXi Post Compromise scenarios and has been observed in connection with Black Basta ransomware. The manipulation involves altering the system time, potentially using the Network Time Protocol (NTP) or other time synchronization mechanisms. Successful clock manipulation allows attackers to obfuscate their activities and complicates incident response efforts. Defenders must monitor for unexpected system clock changes to detect and respond to potential intrusions.

Attack Chain

  1. The attacker gains initial access to the ESXi host, possibly through compromised credentials or exploiting a vulnerability.
  2. The attacker authenticates to the ESXi host's management interface (e.g., vSphere Web Client or ESXi Shell).
  3. The attacker executes commands via the ESXi Shell (or a similar interface) to modify the system clock. This often involves using the esxcli command or directly interacting with NTP services.
  4. The attacker sets the system clock to a time in the past or future, aiming to invalidate logs or bypass scheduled security checks.
  5. The ESXi host logs the time change event in the system logs, which may include messages referencing "NTPClock" and "system clock stepped."
  6. The attacker performs malicious activities, such as deploying ransomware or exfiltrating data, under the manipulated timestamp.
  7. The attacker attempts to restore the original time after their activity, to further obscure tracks.
  8. The system continues operating with potentially inaccurate timestamps, impacting logging, security controls, and scheduled tasks.

Impact

Successful clock manipulation on an ESXi host can have severe consequences, potentially affecting dozens or hundreds of virtual machines. Attackers can disrupt backups, invalidate security certificates, and make forensic analysis extremely difficult. In the context of ransomware attacks like Black Basta, manipulating the clock can disrupt recovery processes and exacerbate the damage. This also can hide evidence of malware deployment and data exfiltration.

Recommendation

  • Deploy the provided Sigma rule ESXi System Clock Stepping Detection to detect significant ESXi system clock changes based on VMWare ESXi Syslog.
  • Enable and monitor VMWare ESXi Syslog and integrate with a SIEM for centralized logging and analysis.
  • Implement strict access controls and multi-factor authentication for ESXi host management interfaces to prevent unauthorized clock modifications.
  • Investigate any alerts generated by the Sigma rule ESXi Clock Manipulation - Statistical Deviation to identify potential anomalies in ESXi clock behavior.
  • Review historical ESXi system logs for any past instances of clock manipulation, using the search terms specified in the content section of this brief.

Detection coverage 2

ESXi System Clock Stepping Detection

high

Detects significant system clock changes on ESXi hosts, potentially indicating malicious activity.

sigma tactics: defense_evasion techniques: T1070.006 sources: application, vmware

ESXi Clock Manipulation - Statistical Deviation

medium

Detects ESXi clock deviations from normal time synchronization.

sigma tactics: defense_evasion techniques: T1070.006 sources: application, vmware

Detection queries are available on the platform. Get full rules →