ESXi Encryption Settings Modification

This detection identifies unauthorized modifications to critical encryption settings on VMware ESXi hosts. Attackers may attempt to weaken hypervisor security by disabling settings such as secure boot or executable verification, allowing them to execute malicious code or compromise virtual machines. This activity is typically observed post-compromise, where the attacker has already gained privileged access to the ESXi host. The detection focuses on changes to encryption enforcement settings via ESXi syslog messages. Successfully weakening the hypervisor allows attackers to move laterally, compromise guest VMs, or establish persistent access to the environment. This is especially relevant in environments targeted by ransomware such as Black Basta.

Attack Chain

1. Attacker gains initial access to the ESXi host, potentially through exploiting a vulnerability or using compromised credentials.
2. Attacker elevates privileges to root or administrator level on the ESXi host.
3. Attacker modifies ESXi host configuration to disable secure boot using esxcli commands.
4. Attacker modifies ESXi host settings to allow execution of unsigned or unverified code, bypassing security controls.
5. Attacker deploys malicious tools or implants on the ESXi host, taking advantage of the weakened security posture.
6. Attacker uses the compromised ESXi host as a pivot point to move laterally within the virtualized environment.
7. Attacker compromises guest virtual machines, potentially deploying ransomware or exfiltrating sensitive data.

Impact

Successful modification of ESXi encryption settings can lead to a significant compromise of the virtualized environment. Attackers can bypass security controls, execute unauthorized code, and potentially compromise all virtual machines hosted on the affected ESXi host. This can result in data theft, ransomware deployment, and disruption of critical services. This activity is linked to ESXi post-compromise scenarios and has been observed in connection with ransomware groups like Black Basta.

Recommendation

• Enable Syslog forwarding from ESXi hosts and ingest logs using the Splunk Technology Add-on for VMware ESXi Logs, as described in the “How to Implement” section of the source to ensure proper field extraction and CIM compatibility.
• Deploy the Sigma rule ESXi Encryption Settings Modified to your SIEM and tune based on your environment to reduce false positives.
• Investigate any alerts generated by this rule, focusing on the dest (destination) field to identify the affected ESXi host.
• Use the drilldown searches provided to view detection results and risk events associated with the compromised ESXi host (View the detection results for - "$dest$", View risk events for the last 7 days for - "$dest$")