ESXi Host Reverse Shell Detection
This detection identifies reverse shell string patterns on an ESXi host via syslog, potentially indicating a threat actor attempting to establish remote control over the system, which may lead to further compromise such as ransomware deployment.
This brief focuses on detecting reverse shell attempts on VMware ESXi hosts. The detection is triggered by specific command patterns within ESXi syslog data indicative of an attacker attempting to establish remote access. The patterns include bash -i >&, /dev/tcp, /dev/udp, socat exec, and python -c import socket. Successfully establishing a reverse shell allows an attacker to execute commands, move laterally within the network, and potentially deploy ransomware such as Black Basta, as indicated by its presence in related analytic stories. The monitoring of ESXi hosts is crucial due to their central role in virtualized environments.
Attack Chain
- The attacker gains initial access to the ESXi host, possibly through exploiting a known vulnerability or using stolen credentials.
- The attacker attempts to execute a reverse shell command, embedding it within a seemingly benign process or script. Example commands include those using bash, netcat (
/dev/tcp,/dev/udp), socat, or Python'ssocketmodule. - The ESXi host logs the reverse shell command within its syslog.
- The attacker's reverse shell command attempts to establish a TCP or UDP connection back to the attacker-controlled server.
- The attacker uses the reverse shell to execute commands on the ESXi host, potentially escalating privileges.
- The attacker leverages their access to gather information about the virtual environment, including the configuration and location of virtual machines.
- The attacker uses their gained access to laterally move to other systems within the network, including guest VMs.
- The final objective could involve deploying ransomware on the guest VMs or exfiltrating sensitive data.
Impact
A successful reverse shell attack on an ESXi host can lead to complete compromise of the virtualized environment. This includes the potential for data theft, disruption of services, and deployment of ransomware on multiple virtual machines. ESXi compromises are often associated with ransomware campaigns like Black Basta, impacting numerous organizations across various sectors. The severity stems from the centralized role of ESXi in managing virtual infrastructure.
Recommendation
- Configure ESXi hosts to forward syslog output to a central logging server for analysis (VMWare ESXi Syslog data source).
- Deploy the Sigma rules provided in this brief to your SIEM and tune them to reduce false positives in your environment.
- Review and harden ESXi host access controls and patch management procedures to prevent initial access.
- Investigate any alerts triggered by the Sigma rules, focusing on the
destfield (destination IP/hostname) to identify the attacker's target. - Monitor network connections originating from ESXi hosts, specifically looking for unusual outbound traffic patterns (network_connection log source).
Detection coverage 3
ESXi Reverse Shell via Bash
highDetects reverse shell attempts on ESXi hosts using bash.
ESXi Reverse Shell via Python Socket
highDetects reverse shell attempts on ESXi hosts using Python's socket module.
ESXi Reverse Shell via Netcat
highDetects reverse shell attempts on ESXi hosts using Netcat.
Detection queries are available on the platform. Get full rules →