ESXi — CraftedSignal Threat Feed

ESXi VIB Acceptance Level Tampering Detection

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief focuses on detecting tampering with the vSphere Installation Bundle (VIB) acceptance level on ESXi hosts. Attackers may attempt to modify the VIB acceptance level, typically using the esxcli software acceptance set command, to bypass security controls and install malicious or unsigned software. The default acceptance levels ensure that only VMware-approved or trusted vendor-signed packages are installed, maintaining system integrity. By lowering this level, for example, to “CommunitySupported”, an attacker can introduce unsigned VIBs, potentially leading to persistent compromise, data exfiltration, or disruption of virtualized workloads. This activity is often observed post-compromise.

Attack Chain

Initial access to the ESXi host is gained through an exploit or stolen credentials.
The attacker elevates privileges to execute commands with shell access.
The attacker uses the esxcli software acceptance set command to modify the VIB acceptance level, potentially setting it to CommunitySupported to allow unsigned VIBs.
The attacker installs a malicious VIB package onto the ESXi host.
The malicious VIB executes its payload, which could include installing a backdoor, modifying system configurations, or stealing data.
The attacker attempts to maintain persistence by hiding the malicious VIB or creating scheduled tasks.
The attacker leverages the compromised ESXi host to move laterally within the virtualized environment, targeting other virtual machines.
The attacker achieves their final objective, such as deploying ransomware or exfiltrating sensitive data from the virtualized environment.

Impact

Successful modification of the VIB acceptance level can lead to the installation of malicious software on ESXi hosts, resulting in the compromise of virtual machines and the entire virtualized infrastructure. This can lead to data breaches, system instability, and significant operational disruption. The Black Basta ransomware group has been known to target ESXi environments, highlighting the importance of detecting this type of activity.

Recommendation

Enable ESXi syslog forwarding to a central log management system to capture relevant events (data_source: “VMWare ESXi Syslog”).
Deploy the Sigma rule ESXi VIB Acceptance Level Tampering to detect changes to the VIB acceptance level (rule: “ESXi VIB Acceptance Level Tampering”).
Monitor ESXi hosts for unusual process execution and file modifications, especially related to VIB installation (rule: “Suspicious ESXi VIB Installation”).
Investigate any instances of the esxcli software acceptance set command being used (rule: “ESXi VIB Acceptance Level Tampering”).

ESXi Syslog Configuration Changes via esxcli

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief focuses on the detection of unauthorized or malicious changes to the syslog configuration of VMware ESXi hosts. Attackers may attempt to modify syslog settings to disable or redirect logging, thereby hindering incident response and forensic analysis. The specific technique involves using the esxcli command-line utility, a powerful tool for managing ESXi hosts. Successful modification of the syslog configuration allows attackers to operate with reduced visibility, potentially leading to prolonged compromise and data exfiltration. This activity can be an indicator of post-compromise activity, and has been observed in association with ransomware campaigns like Black Basta.

Attack Chain

Initial access to the ESXi host is achieved via compromised credentials or exploitation of a vulnerability.
The attacker authenticates to the ESXi host, potentially escalating privileges if necessary.
The attacker uses esxcli to query the current syslog configuration to understand the existing setup.
The attacker uses esxcli to modify the syslog configuration, potentially changing the remote host, protocol, or port.
The attacker disables or redirects syslog forwarding to a malicious or attacker-controlled server.
The attacker verifies the syslog configuration changes using esxcli or by observing the absence of logs at the original destination.
The attacker proceeds with other malicious activities, such as lateral movement, data exfiltration, or ransomware deployment, with reduced risk of detection.

Impact

Successful modification of ESXi syslog configurations can severely impair an organization’s ability to detect and respond to security incidents. This can lead to delayed detection of breaches, prolonged dwell time for attackers, and increased damage from ransomware or data theft. The consequences include significant financial losses, reputational damage, and regulatory penalties. The attack is observed being utilized post-compromise, to evade detection in ransomware campaigns like Black Basta.

Recommendation

Enable ESXi syslog forwarding to a centralized logging server and monitor for configuration changes as described in the overview.
Deploy the provided Sigma rule ESXi Syslog Config Change to detect unauthorized modifications to the syslog configuration (rule ID: esxi_syslog_config_change).
Implement strict access control policies for ESXi hosts and monitor for anomalous login activity to prevent initial access.
Review and harden ESXi host configurations according to VMware security best practices.
Ensure that the Splunk Technology Add-on for VMware ESXi Logs is properly configured to parse and ingest syslog data (see How To Implement).

ESXi Firewall Disabled Detection

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

The disabling of the ESXi firewall can expose critical infrastructure to significant risk. Threat actors often disable or weaken the ESXi firewall to facilitate lateral movement within the environment, enabling them to access sensitive data or install malicious software. This detection focuses on identifying instances where the ESXi firewall has been disabled, based on syslog data. The ESXi firewall is a critical component for securing the ESXi hypervisor, which is the foundation for virtualized environments. Disabling it creates a direct path for attackers to compromise the host and any virtual machines running on it. This activity can be associated with ransomware campaigns like Black Basta, and also China-Nexus threat activity, highlighting the diverse range of adversaries who may employ this technique.

Attack Chain

Initial Compromise: An attacker gains initial access to the network through various means, such as exploiting a vulnerability in a network service or through compromised credentials.
Privilege Escalation: The attacker escalates privileges to gain administrative access within the ESXi environment. This might involve exploiting vulnerabilities in the ESXi software or leveraging misconfigured permissions.
Firewall Configuration Modification: Using elevated privileges, the attacker disables the ESXi firewall or sets it to a permissive mode. This can be achieved via command-line tools or the vSphere client.
Lateral Movement: With the firewall disabled, the attacker can now move laterally within the ESXi environment, accessing other virtual machines and ESXi hosts on the network.
Data Exfiltration: The attacker identifies and exfiltrates sensitive data from the compromised virtual machines. This data can include customer data, financial records, or intellectual property.
Malware Installation: The attacker installs malicious software, such as ransomware, on the compromised virtual machines or ESXi hosts.
Ransomware Deployment / System Corruption: The installed ransomware encrypts the data on the compromised systems, rendering them inaccessible until a ransom is paid. Alternatively, the attacker may corrupt critical system files, causing system instability or failure.

Impact

Successful exploitation can lead to a complete compromise of the ESXi environment. Disabling the firewall can expose all virtual machines and ESXi hosts to unauthorized access, leading to data breaches, ransomware attacks, and significant disruption of services. Organizations that rely heavily on virtualization, such as cloud service providers and large enterprises, are particularly vulnerable. The impact could include significant financial losses, reputational damage, and legal liabilities.

Recommendation

Configure ESXi systems to forward syslog output to a SIEM and ensure it is ingested with the appropriate Splunk Technology Add-on for VMware ESXi Logs to enable the correlation of ESXi firewall status changes (reference: esxi_syslog data source).
Deploy the provided Sigma rule to your SIEM to detect instances where the ESXi firewall is disabled (reference: Sigma rule).
Investigate any alerts generated by this rule promptly to determine the root cause and scope of the compromise (reference: Sigma rule).
Review and harden ESXi security configurations to minimize the risk of unauthorized access and privilege escalation (reference: description).
Implement multi-factor authentication for all ESXi administrative accounts to prevent credential compromise (reference: description).

ESXi Encryption Settings Modification

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies unauthorized modifications to critical encryption settings on VMware ESXi hosts. Attackers may attempt to weaken hypervisor security by disabling settings such as secure boot or executable verification, allowing them to execute malicious code or compromise virtual machines. This activity is typically observed post-compromise, where the attacker has already gained privileged access to the ESXi host. The detection focuses on changes to encryption enforcement settings via ESXi syslog messages. Successfully weakening the hypervisor allows attackers to move laterally, compromise guest VMs, or establish persistent access to the environment. This is especially relevant in environments targeted by ransomware such as Black Basta.

Attack Chain

Attacker gains initial access to the ESXi host, potentially through exploiting a vulnerability or using compromised credentials.
Attacker elevates privileges to root or administrator level on the ESXi host.
Attacker modifies ESXi host configuration to disable secure boot using esxcli commands.
Attacker modifies ESXi host settings to allow execution of unsigned or unverified code, bypassing security controls.
Attacker deploys malicious tools or implants on the ESXi host, taking advantage of the weakened security posture.
Attacker uses the compromised ESXi host as a pivot point to move laterally within the virtualized environment.
Attacker compromises guest virtual machines, potentially deploying ransomware or exfiltrating sensitive data.

Impact

Successful modification of ESXi encryption settings can lead to a significant compromise of the virtualized environment. Attackers can bypass security controls, execute unauthorized code, and potentially compromise all virtual machines hosted on the affected ESXi host. This can result in data theft, ransomware deployment, and disruption of critical services. This activity is linked to ESXi post-compromise scenarios and has been observed in connection with ransomware groups like Black Basta.

Recommendation

Enable Syslog forwarding from ESXi hosts and ingest logs using the Splunk Technology Add-on for VMware ESXi Logs, as described in the “How to Implement” section of the source to ensure proper field extraction and CIM compatibility.
Deploy the Sigma rule ESXi Encryption Settings Modified to your SIEM and tune based on your environment to reduce false positives.
Investigate any alerts generated by this rule, focusing on the dest (destination) field to identify the affected ESXi host.
Use the drilldown searches provided to view detection results and risk events associated with the compromised ESXi host (View the detection results for - "$dest$", View risk events for the last 7 days for - "$dest$")

ESXi Download Error Detection

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection focuses on identifying failed file download attempts on VMware ESXi hosts by analyzing system logs for specific error messages. The errors may stem from unauthorized or malicious attempts to install or update components, such as VIBs (vSphere Installation Bundles) or scripts, potentially leading to system compromise or disruption. This is important for defenders because successful exploitation could result in the installation of malicious software, unauthorized modifications to the ESXi host, or even complete system takeover. The detection leverages ESXi syslog data and is designed to be implemented within a Splunk environment using the appropriate technology add-on for VMware ESXi Logs.

Attack Chain

The attacker gains initial access to a system with the ability to interact with the ESXi host (e.g., through compromised credentials or a vulnerability).
The attacker attempts to download a malicious VIB or script onto the ESXi host.
The ESXi host attempts to download the file from a remote location.
The download fails due to network issues, file integrity checks, or access restrictions.
The ESXi host logs an error message indicating the failed download attempt. Messages include “Download failed”, “Failed to download file”, “File download error”, “Could not download”.
The system logs are forwarded to a SIEM such as Splunk for analysis.
A detection rule identifies the error message in the logs and triggers an alert.

Impact

Successful exploitation following a failed download attempt could lead to the installation of malicious software, unauthorized modification of the ESXi host configuration, or denial of service. While the detection identifies failed download attempts, repeated failures or unusual patterns of failed downloads can indicate a persistent and potentially sophisticated attack. The impact could range from system instability to full compromise, depending on the attacker’s objectives and the vulnerabilities exploited.

Recommendation

Configure ESXi hosts to forward syslog output to your Splunk deployment to collect the necessary log data.
Install and configure the Splunk Technology Add-on for VMware ESXi Logs to ensure proper field extraction and CIM compatibility.
Deploy the provided Splunk search query to identify ESXi download errors in your environment.
Tune the detection logic and filter list (esxi_download_errors_filter) to reduce false positives based on your environment’s specific characteristics.
Investigate alerts generated by the detection to determine the root cause of the failed download attempts.
Use the drilldown searches to view detection results and risk events associated with the identified hosts.

ESXi Audit Tampering Detection

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This detection identifies attempts to tamper with audit records on VMware ESXi hosts. Attackers with administrative privileges on an ESXi host can use the esxcli system auditrecords command to modify or delete audit logs. This can be done either remotely or locally on the host, and is indicative of an attacker attempting to cover their tracks, evade detection, and hinder subsequent forensic investigations. Successfully tampering with audit logs allows malicious actors to operate undetected within the environment, potentially leading to long-term compromise and data exfiltration. This activity is particularly relevant in cases involving ransomware, such as Black Basta, where attackers may attempt to erase evidence of their lateral movement and payload deployment.

Attack Chain

An attacker gains initial access to a system with privileges to access the ESXi host.
The attacker authenticates to the ESXi host, either locally or remotely, likely using compromised credentials.
The attacker executes the esxcli system auditrecords command.
The command is used with parameters to modify existing audit records, such as deleting entries or changing timestamps.
The attacker may target specific log entries related to their activities to erase evidence.
After tampering, the attacker continues their malicious activities (e.g., lateral movement, data exfiltration, or ransomware deployment) with reduced risk of detection.
The absence of relevant audit logs impairs incident response and forensic analysis efforts.

Impact

Successful tampering of ESXi audit records can severely hinder incident response and forensic analysis. Without accurate logs, security teams will struggle to determine the scope and timeline of an attack. In environments affected by ransomware like Black Basta, this can lead to delayed containment and increased data loss. The blurring of the attack timeline prevents recovery and remediation efforts. While there are no victim statistics available for this specific technique, the impact on affected organizations can be significant, resulting in financial losses, reputational damage, and regulatory fines.

Recommendation

Enable Syslog on all ESXi hosts and forward logs to a centralized logging server to ensure logs are captured and retained even if local logs are tampered with.
Deploy the Sigma rule “ESXi Audit Tampering Detection” to your SIEM to detect the usage of esxcli system auditrecords command.
Investigate any alerts triggered by the Sigma rule, focusing on the source and destination of the command execution.
Monitor the risk score associated with the impacted systems using the risk_objects field in the report.
Review access controls and privileges assigned to ESXi hosts to minimize the attack surface.

ESXi Loghost Configuration Tampering

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

Attackers targeting VMware ESXi infrastructure may tamper with the syslog configuration to disable or redirect logging. This activity, often performed post-compromise, aims to hinder incident responders by preventing them from collecting crucial forensic data. This allows malicious actors to operate with less visibility, increasing the dwell time and impact of their attacks. This particular threat focuses on detecting modifications to Syslog.global.logHost and Syslog.global.logdir, key configuration parameters for syslog forwarding on ESXi hosts. The attack is detected using ESXi syslog data, typically ingested and processed using the Splunk Technology Add-on for VMware ESXi Logs. This can be part of ransomware campaigns like Black Basta.

Attack Chain

Initial access to the ESXi host is achieved through exploitation of a vulnerability, stolen credentials, or other means.
The attacker escalates privileges to gain administrative access on the ESXi host.
The attacker modifies the ESXi syslog configuration using esxcli commands or direct manipulation of configuration files. Specifically, Syslog.global.logHost (the syslog server) and Syslog.global.logdir (the log directory) are targeted.
The attacker disables remote syslog forwarding by setting Syslog.global.logHost to an invalid or inaccessible address. Alternatively, they might redirect logs to a location they control.
The attacker modifies the log directory by altering the value of Syslog.global.logdir.
The attacker then proceeds with their primary objective, such as deploying ransomware or exfiltrating sensitive data, under reduced scrutiny.
Incident responders find difficulty in reconstructing the attack timeline due to missing or incomplete log data.

Impact

Successful tampering with ESXi loghost configurations can significantly impair an organization’s ability to detect and respond to security incidents. By disrupting log forwarding, attackers can effectively blind security teams, allowing them to operate undetected for extended periods. This can lead to delayed detection of ransomware deployments, data breaches, and other malicious activities, increasing the potential for financial loss, reputational damage, and operational disruption. ESXi Post Compromise can lead to Black Basta Ransomware deployment.

Recommendation

Deploy the provided Sigma rules to your SIEM to detect ESXi loghost configuration tampering and tune them for your environment.
Configure your ESXi systems to forward syslog output to a centralized logging server and ingest using the Splunk Technology Add-on for VMware ESXi Logs as specified in the “how_to_implement” section.
Investigate any alerts generated by the Sigma rules, focusing on the source ESXi host (dest) and the modified loghost configuration values.
Monitor ESXi host configuration changes for unexpected modifications to the syslog settings.
Implement strict access controls and multi-factor authentication for ESXi hosts to prevent unauthorized configuration changes.

ESXi Lockdown Mode Disabled

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

This detection identifies when Lockdown Mode is disabled on an ESXi host. Threat actors might disable this mode to weaken host security controls, allowing broader remote access via SSH or the host client. This action could be a precursor to further malicious activities such as data exfiltration, lateral movement within the environment, or tampering with virtual machines. Identifying this activity is crucial as it signifies a potential compromise of the ESXi host, which could lead to significant disruption and data loss. The detection logic is based on ESXi Syslog data.

Attack Chain

An attacker gains initial access to the ESXi host, potentially through compromised credentials or exploiting a vulnerability.
The attacker authenticates to the ESXi host.
The attacker executes a command to disable Lockdown Mode. This may be done through the vSphere client or directly via SSH if enabled.
The ESXi host logs the event of Lockdown Mode being disabled within its syslog.
With Lockdown Mode disabled, the attacker gains broader access to the host’s management interfaces.
The attacker performs reconnaissance activities, gathering information about the host and its virtual machines.
The attacker moves laterally to other systems within the environment, leveraging the compromised ESXi host.
The attacker exfiltrates sensitive data or manipulates virtual machines, achieving their final objectives.

Impact

Disabling Lockdown Mode can lead to a complete compromise of the ESXi host and the virtual machines it manages. This can result in data exfiltration, data corruption, or the deployment of ransomware on the virtual machines. Depending on the environment, this can affect hundreds or thousands of virtual machines, potentially disrupting critical business operations. The “Black Basta Ransomware” analytic story is related to this threat.

Recommendation

Configure ESXi hosts to forward syslog output to a SIEM or log aggregation system to enable detection of this activity, as detailed in the “How to Implement” section of the source.
Deploy the Sigma rule ESXi Lockdown Mode Disabled to your SIEM to detect instances where Lockdown Mode is disabled on ESXi hosts.
Investigate any alerts generated by the Sigma rule ESXi Lockdown Mode Disabled to determine the root cause and scope of the potential compromise.
Monitor ESXi syslog for messages indicating changes to host security configurations.