ESXi VM Exfiltration via Remote Tool
Attackers or malicious insiders may leverage remote tools and the NFC protocol to download virtual machine disk files from ESXi datastores, potentially leading to sensitive data exfiltration.
This brief addresses the threat of malicious actors exfiltrating virtual machine disk files from ESXi datastores using remote tools. This technique abuses the Network File Copy (NFC) protocol, which is typically used by legitimate management tools for transferring files to and from ESXi hosts. Attackers can exploit this protocol to steal full virtual disk images, potentially gaining access to sensitive data, configurations, and credentials stored within the VMs. The risk is heightened in environments where ESXi hosts are exposed to internal networks or where insider threats are a concern. This behavior is also associated with post-compromise activity related to ransomware groups such as Black Basta. Defenders should monitor for unusual NFC traffic and unauthorized access to virtual disk files.
Attack Chain
- Attacker gains initial access to the network or obtains valid credentials for ESXi hosts.
- Attacker identifies a target ESXi host and datastore containing valuable virtual machine disk files.
- The attacker uses a remote tool (potentially masquerading as a legitimate management utility) to initiate an NFC session with the ESXi host.
- The remote tool issues commands to locate and select the target VMDK files within the datastore, using the VM path to identify the target.
- The attacker initiates a file download operation using the NFC protocol to transfer the VMDK files to a remote location.
- The ESXi host logs the file download event, including the initiator's IP address, tool name, and destination.
- The attacker exfiltrates the downloaded VMDK files from the remote location.
- The attacker mounts and analyzes the VMDK files to extract sensitive data or gain further access to the environment.
Impact
Successful exfiltration of virtual machine disk files can have severe consequences. Attackers can gain access to sensitive data stored within the VMs, including customer data, financial records, and intellectual property. This can lead to data breaches, financial losses, and reputational damage. The exfiltration can also provide attackers with credentials and configuration information that can be used to further compromise the environment. The activity is also associated with ransomware groups such as Black Basta, which may encrypt systems after data exfiltration.
Recommendation
- Enable Syslog on ESXi hosts and forward logs to a SIEM for analysis to detect the attack chain described above.
- Deploy the Sigma rule
ESXi VM Exported via Remote Tool Detectionto identify unauthorized VMDK downloads (VMWare ESXi Syslog). - Investigate any alerts generated by the Sigma rule, focusing on unusual source IPs, destination hosts, and remote tools (ESXi Syslog).
- Implement network segmentation and access controls to restrict access to ESXi hosts and datastores, mitigating the risk of unauthorized exfiltration (Network).
- Monitor for network traffic indicative of large file transfers from ESXi hosts to unusual destinations (network_connection).
Detection coverage 2
ESXi VM Exported via Remote Tool Detection
highDetects the use of a remote tool to download virtual machine disk files from a datastore using ESXi syslog data.
ESXi VM Exported - Destination Filename
mediumThis detection identifies if a file copy is made from the ESXi datastore which could be used to export a VM.
Detection queries are available on the platform. Get full rules →