ESXi System Information Discovery via ESXCLI
Adversaries may use ESXCLI system-level commands to retrieve configuration details on VMware ESXi hosts for reconnaissance purposes, potentially leading to further compromise.
This threat brief focuses on the use of ESXCLI commands to gather system information on VMware ESXi hosts. While ESXCLI is a legitimate tool for system administration, malicious actors can leverage it to perform reconnaissance activities. This includes profiling the ESXi host's capabilities, build information, and system role. Such information gathering is often a precursor to further malicious activities, such as exploiting vulnerabilities or deploying ransomware like Black Basta. The technique is identified via analysis of VMWare ESXi Syslog events.
Attack Chain
- The attacker gains initial access to a system with ESXCLI execution capabilities, potentially through compromised credentials or a vulnerability.
- The attacker executes ESXCLI commands with "get" or "list" parameters to query system information.
- Specific commands like
esxcli system version getoresxcli hardware memory getare used to gather details about the ESXi host. - The ESXi host logs the execution of these commands in its syslog, recording the user, command, and destination.
- The attacker analyzes the gathered information to identify potential vulnerabilities, misconfigurations, or weaknesses in the ESXi environment.
- Based on the reconnaissance findings, the attacker plans subsequent actions, such as exploiting identified vulnerabilities.
- The attacker attempts lateral movement to other ESXi hosts or virtual machines within the environment.
- The final objective could involve deploying ransomware, exfiltrating sensitive data, or disrupting critical services.
Impact
Successful reconnaissance of ESXi hosts can provide attackers with critical information needed to compromise the entire virtualized environment. This can lead to data breaches, service disruptions, and significant financial losses. VMware ESXi infrastructure is present in a wide array of organizations across various sectors, making this reconnaissance technique a broad concern. The Black Basta ransomware group has been known to target ESXi environments, highlighting the real-world consequences of successful ESXi compromise.
Recommendation
- Configure ESXi hosts to forward syslog output to a centralized logging system for analysis (VMWare ESXi Syslog).
- Deploy the Sigma rule
ESXi System Information Discoveryto detect suspicious ESXCLI command execution in your SIEM. - Review and tune the
ESXi System Information Discoveryrule to minimize false positives based on legitimate administrator activity. - Investigate any alerts generated by the
ESXi System Information Discoveryrule to determine if the activity is authorized.
Detection coverage 2
ESXi System Information Discovery
mediumDetects the use of ESXCLI system-level commands to retrieve configuration details on ESXi hosts.
ESXi ESXCLI Command Execution with Destination
infoDetects ESXCLI command execution on ESXi with destination information.
Detection queries are available on the platform. Get full rules →