ESXi Sensitive File Access Attempt
An adversary attempts to access sensitive system and configuration files on an ESXi host, potentially for reconnaissance, credential harvesting, privilege escalation, lateral movement, or persistence.
This threat brief focuses on unauthorized access attempts to sensitive files on VMware ESXi hosts. These files include critical system configurations, authentication databases, and VMware-specific settings. The activity, if successful, can provide adversaries with deep insights into the ESXi environment, enabling credential compromise, privilege escalation, lateral movement, and persistent access. This activity is often associated with post-compromise stages in attacks targeting virtualized infrastructure. The targeting of these files is seen across various threat actors and ransomware groups. Defenders should prioritize monitoring access to these sensitive files to detect and respond to potential intrusions.
Attack Chain
- The attacker gains initial access to the ESXi host through an exploit or compromised credentials.
- The attacker executes commands to browse the file system, specifically targeting directories like
/etc/,/etc/vmware/, and/etc/likewise/. - The attacker attempts to read sensitive files such as
/etc/shadowto harvest user credentials. - The attacker accesses configuration files like
/etc/vmware/hostd/hostd.xmlto understand the host's configuration and services. - The attacker targets
/etc/vmware/vpxa/vpxa.cfgto gather information about the vCenter connection. - The attacker may access
/etc/security/*for security related information. - The attacker analyzes the acquired information to identify potential vulnerabilities or misconfigurations.
- The attacker uses the harvested credentials and configuration details to escalate privileges, move laterally within the environment, or establish persistent access.
Impact
Successful access to these sensitive files can lead to complete compromise of the ESXi host and the virtual machines it hosts. This can result in data theft, service disruption, ransomware deployment, and significant financial and reputational damage. Organizations in all sectors using VMware ESXi infrastructure are potentially at risk.
Recommendation
- Enable Syslog forwarding from ESXi hosts to a central logging server for the detection rule to work.
- Deploy the Sigma rule
ESXi Sensitive Files Accessedto your SIEM and tune for your environment. - Investigate any alerts generated by the
ESXi Sensitive Files Accessedrule, focusing on the source and destination involved.
Detection coverage 2
ESXi Sensitive Files Accessed
highDetects access to sensitive system and configuration files on an ESXi host.
ESXi Sensitive Files Accessed - User Extraction
mediumDetects access to sensitive system and configuration files on an ESXi host and extracts the user.
Detection queries are available on the platform. Get full rules →