{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/account-management/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ESXi"],"_cs_severities":["high"],"_cs_tags":["esxi","vmware","account-management","persistence","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["VMware"],"content_html":"\u003cp\u003eThis detection identifies the creation, deletion, or modification of local user accounts on VMware ESXi hosts. This activity can be indicative of various malicious actions, including unauthorized access by threat actors, attempts to remove indicators of compromise, or the establishment of persistence mechanisms to maintain control over the compromised host. This type of activity is particularly concerning as ESXi hosts are critical components of virtualized environments, and their compromise can lead to significant impact. This detection leverages ESXi syslog data. It is important to note that ESXi account modifications are rare in most environments, making this a high-fidelity indicator of potentially malicious activity. The detection logic requires the appropriate Splunk Technology Add-on for VMware ESXi Logs for proper field extraction and CIM compatibility.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to the ESXi host, potentially through exploiting vulnerabilities, brute-forcing credentials, or leveraging compromised credentials (T1078).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates their privileges to gain administrative or root access on the ESXi host.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Discovery:\u003c/strong\u003e The attacker enumerates existing user accounts on the ESXi host to identify potential targets or existing administrative accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Modification:\u003c/strong\u003e The attacker modifies an existing user account's attributes, such as password, privileges, or SSH keys, to gain persistent access or impersonate legitimate users (T1098). The attacker may use esxcli command line interface.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eNew Account Creation:\u003c/strong\u003e The attacker creates a new local user account on the ESXi host to establish a persistent backdoor for future access (T1136.001).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker attempts to harvest credentials stored on the ESXi host or within the virtualized environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDefense Evasion:\u003c/strong\u003e The attacker deletes or modifies existing user accounts to remove traces of their activity or disable security measures.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement/Impact:\u003c/strong\u003e The attacker leverages their access to the ESXi host to move laterally within the virtualized environment, compromise virtual machines, or disrupt services.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromise of an ESXi host can lead to the compromise of all virtual machines hosted on that server. This can result in data theft, disruption of critical services, or deployment of ransomware within the virtualized environment. Successful account modification can allow attackers to maintain persistent access to the ESXi host, even after patches are applied or other security measures are implemented. The Black Basta ransomware group, among others, has been known to target ESXi infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure ESXi hosts to forward syslog output to a centralized logging system (e.g., Splunk) as outlined in the \u0026quot;how_to_implement\u0026quot; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eESXi Account Modified via esxcli\u003c/code\u003e to detect account modifications performed through the esxcli command-line interface.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eESXi Account Deletion via esxcli\u003c/code\u003e to detect account deletions performed through the esxcli command-line interface.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to determine the legitimacy of the account modification activity.\u003c/li\u003e\n\u003cli\u003eMonitor ESXi host logs for unusual command-line activity, specifically commands related to account management.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-esxi-account-modified/","summary":"Detection of local user account creation, deletion, or modification on an ESXi host, potentially indicating unauthorized access, persistence attempts, or defense evasion.","title":"ESXi Account Modification Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-account-modified/"}],"language":"en","title":"CraftedSignal Threat Feed - Account-Management","version":"https://jsonfeed.org/version/1.1"}