ESXi Syslog Configuration Change via esxcli
Detection of ESXi syslog configuration changes using esxcli, potentially indicating an attempt to disrupt logging and evade detection, with known association to Black Basta ransomware.
This threat brief addresses the modification of syslog configurations on ESXi hosts, a tactic frequently employed to disable or redirect logging and evade detection. The activity is detected through the use of esxcli commands altering syslog settings. This is a known technique used by threat actors like the Black Basta ransomware group to hinder incident response and forensic analysis. This activity specifically targets VMware ESXi environments and aims to compromise the integrity of security logs, creating blind spots for defenders. The ability to manipulate system logging is a critical step in a larger attack campaign, as it allows threat actors to operate with less visibility.
Attack Chain
- Initial Access: The attacker gains initial access to the ESXi host, potentially through exploiting a vulnerability or using compromised credentials.
- Privilege Escalation: The attacker escalates privileges to gain administrative access to the ESXi host.
- Discovery: The attacker uses commands to enumerate the current syslog configuration.
- Defense Evasion: The attacker uses
esxclito modify the syslog configuration, redirecting logs or disabling them entirely. This command will contain "syslog config set" and "esxcli". - Persistence: The attacker may configure the changes to persist through reboots, further hindering detection.
- Lateral Movement: With logging disabled, the attacker moves laterally within the environment to compromise additional systems.
- Data Encryption: The attacker deploys ransomware, encrypting critical data on the compromised ESXi hosts.
- Exfiltration/Ransom: The attacker may exfiltrate data before encryption and demand a ransom for decryption keys and to prevent data release.
Impact
Successful modification of ESXi syslog configurations allows attackers to operate undetected within the environment. This can lead to prolonged dwell time, increased data exfiltration, and widespread ransomware deployment. Organizations that fail to detect this activity are at significant risk of suffering a major security incident, resulting in data loss, financial damage, and reputational harm. The ESXi Post Compromise analytic story highlights the potential impact of this attack.
Recommendation
- Configure your ESXi systems to forward syslog output to your Splunk deployment, as required by the "how_to_implement" section of the original detection.
- Deploy the provided Sigma rules to your SIEM to detect ESXi syslog configuration changes and tune them for your specific environment.
- Investigate any alerts generated by the Sigma rules, focusing on the user and destination involved in the configuration change.
- Review the analytic story "ESXi Post Compromise" to identify related attack patterns and improve overall detection capabilities.
Detection coverage 2
ESXi Syslog Config Change Detected
highDetects changes to the syslog configuration on an ESXi host using esxcli.
ESXi Syslog Config Change User and Destination
mediumDetects changes to the syslog configuration on an ESXi host using esxcli and extracts the user and destination.
Detection queries are available on the platform. Get full rules →