Skip to content
Threat Feed
high advisory

ESXi Sensitive File Access Attempt

An adversary attempts to access sensitive system and configuration files on an ESXi host, potentially for reconnaissance, credential harvesting, privilege escalation, lateral movement, or persistence.

This threat brief focuses on unauthorized access attempts to sensitive files on VMware ESXi hosts. These files include critical system configurations, authentication databases, and VMware-specific settings. The activity, if successful, can provide adversaries with deep insights into the ESXi environment, enabling credential compromise, privilege escalation, lateral movement, and persistent access. This activity is often associated with post-compromise stages in attacks targeting virtualized infrastructure. The targeting of these files is seen across various threat actors and ransomware groups. Defenders should prioritize monitoring access to these sensitive files to detect and respond to potential intrusions.

Attack Chain

  1. The attacker gains initial access to the ESXi host through an exploit or compromised credentials.
  2. The attacker executes commands to browse the file system, specifically targeting directories like /etc/, /etc/vmware/, and /etc/likewise/.
  3. The attacker attempts to read sensitive files such as /etc/shadow to harvest user credentials.
  4. The attacker accesses configuration files like /etc/vmware/hostd/hostd.xml to understand the host's configuration and services.
  5. The attacker targets /etc/vmware/vpxa/vpxa.cfg to gather information about the vCenter connection.
  6. The attacker may access /etc/security/* for security related information.
  7. The attacker analyzes the acquired information to identify potential vulnerabilities or misconfigurations.
  8. The attacker uses the harvested credentials and configuration details to escalate privileges, move laterally within the environment, or establish persistent access.

Impact

Successful access to these sensitive files can lead to complete compromise of the ESXi host and the virtual machines it hosts. This can result in data theft, service disruption, ransomware deployment, and significant financial and reputational damage. Organizations in all sectors using VMware ESXi infrastructure are potentially at risk.

Recommendation

  • Enable Syslog forwarding from ESXi hosts to a central logging server for the detection rule to work.
  • Deploy the Sigma rule ESXi Sensitive Files Accessed to your SIEM and tune for your environment.
  • Investigate any alerts generated by the ESXi Sensitive Files Accessed rule, focusing on the source and destination involved.

Detection coverage 2

ESXi Sensitive Files Accessed

high

Detects access to sensitive system and configuration files on an ESXi host.

sigma tactics: credential_access, discovery techniques: T1003.008, T1005 sources: syslog, vmware

ESXi Sensitive Files Accessed - User Extraction

medium

Detects access to sensitive system and configuration files on an ESXi host and extracts the user.

sigma tactics: credential_access, discovery techniques: T1003.008, T1005 sources: syslog, vmware

Detection queries are available on the platform. Get full rules →