Skip to content
Threat Feed
medium advisory

Detection of Failed ESXi File Downloads

This detection identifies failed file download attempts on ESXi hosts by looking for specific error messages in system logs, potentially indicating unauthorized attempts to install malicious components or scripts.

This detection focuses on identifying anomalous file download behavior on VMware ESXi hosts. It uses ESXi system logs to detect specific error messages related to failed download attempts. These errors might indicate unauthorized attempts to install or update components like VIBs or scripts, potentially signaling malicious activity such as post-compromise actions or ransomware deployment, as seen in cases like Black Basta. The detection aims to identify potential threats early by monitoring download errors that deviate from normal system administration activities, helping defenders prevent further compromise.

Attack Chain

  1. Attacker gains initial access to the ESXi host, possibly through credential compromise or exploiting a vulnerability.
  2. Attacker attempts to download a malicious VIB package or script to the ESXi host.
  3. The ESXi host attempts to download the file from a remote server.
  4. The download fails due to various reasons, such as network issues, incorrect URL, or access restrictions.
  5. The ESXi host logs an error message indicating the failed download attempt, such as "Download failed", "Failed to download file", "File download error", or "Could not download".
  6. The attacker may attempt to download the file again, possibly using a different method or URL.
  7. If the download eventually succeeds, the attacker proceeds to install and execute the malicious component.
  8. If the download repeatedly fails, the attacker might pivot to other methods of compromising the ESXi host, such as directly uploading malicious files or exploiting other vulnerabilities.

Impact

Successful exploitation following a failed download attempt may lead to the installation of malicious software on the ESXi host, potentially compromising virtual machines hosted on it. This could lead to data theft, ransomware deployment affecting multiple virtual machines, denial of service, or complete control over the ESXi host and its associated virtual infrastructure. While the detection focuses on failed downloads, it highlights a potential attempt that requires further investigation, before a potential compromise of critical infrastructure.

Recommendation

  • Configure ESXi hosts to forward syslog output to a centralized logging system like Splunk for comprehensive monitoring, as indicated in the "How to Implement" section.
  • Deploy the Sigma rule provided below to your SIEM and tune for your environment to detect the specific error messages associated with failed downloads.
  • Investigate any alerts generated by the Sigma rule to determine the root cause of the failed download attempts, focusing on the destination (dest field) of the attempted download.
  • Review and harden ESXi access controls to prevent unauthorized users from initiating file downloads.
  • Monitor network traffic for suspicious outbound connections from ESXi hosts, especially to unusual or untrusted destinations, complementing the network_connection Sigma rule below.
  • Implement multi-factor authentication for all ESXi administrative accounts to mitigate credential compromise, the likely initial access vector.

Detection coverage 2

Detect ESXi Download Errors via Syslog

medium

Detects failed file download attempts on ESXi hosts based on specific error messages in syslog.

sigma tactics: defense_evasion, initial_access techniques: T1562.001, T1601.001 sources: syslog, vmware

Detect Suspicious ESXi Outbound Network Connection

medium

Detects suspicious outbound network connections from ESXi hosts, potentially indicating malicious activity.

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, vmware

Detection queries are available on the platform. Get full rules →