ESXi Loghost Configuration Tampering

Attackers targeting VMware ESXi infrastructure may tamper with the syslog configuration to disable or redirect logging. This activity, often performed post-compromise, aims to hinder incident responders by preventing them from collecting crucial forensic data. This allows malicious actors to operate with less visibility, increasing the dwell time and impact of their attacks. This particular threat focuses on detecting modifications to Syslog.global.logHost and Syslog.global.logdir, key configuration parameters for syslog forwarding on ESXi hosts. The attack is detected using ESXi syslog data, typically ingested and processed using the Splunk Technology Add-on for VMware ESXi Logs. This can be part of ransomware campaigns like Black Basta.

Attack Chain

1. Initial access to the ESXi host is achieved through exploitation of a vulnerability, stolen credentials, or other means.
2. The attacker escalates privileges to gain administrative access on the ESXi host.
3. The attacker modifies the ESXi syslog configuration using esxcli commands or direct manipulation of configuration files. Specifically, Syslog.global.logHost (the syslog server) and Syslog.global.logdir (the log directory) are targeted.
4. The attacker disables remote syslog forwarding by setting Syslog.global.logHost to an invalid or inaccessible address. Alternatively, they might redirect logs to a location they control.
5. The attacker modifies the log directory by altering the value of Syslog.global.logdir.
6. The attacker then proceeds with their primary objective, such as deploying ransomware or exfiltrating sensitive data, under reduced scrutiny.
7. Incident responders find difficulty in reconstructing the attack timeline due to missing or incomplete log data.

Impact

Successful tampering with ESXi loghost configurations can significantly impair an organization’s ability to detect and respond to security incidents. By disrupting log forwarding, attackers can effectively blind security teams, allowing them to operate undetected for extended periods. This can lead to delayed detection of ransomware deployments, data breaches, and other malicious activities, increasing the potential for financial loss, reputational damage, and operational disruption. ESXi Post Compromise can lead to Black Basta Ransomware deployment.

Recommendation

• Deploy the provided Sigma rules to your SIEM to detect ESXi loghost configuration tampering and tune them for your environment.
• Configure your ESXi systems to forward syslog output to a centralized logging server and ingest using the Splunk Technology Add-on for VMware ESXi Logs as specified in the “how_to_implement” section.
• Investigate any alerts generated by the Sigma rules, focusing on the source ESXi host (dest) and the modified loghost configuration values.
• Monitor ESXi host configuration changes for unexpected modifications to the syslog settings.
• Implement strict access controls and multi-factor authentication for ESXi hosts to prevent unauthorized configuration changes.