{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/esxi/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["vmware","esxi","vib","tampering","post-compromise","ransomware"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting tampering with the vSphere Installation Bundle (VIB) acceptance level on ESXi hosts. Attackers may attempt to modify the VIB acceptance level, typically using the \u003ccode\u003eesxcli software acceptance set\u003c/code\u003e command, to bypass security controls and install malicious or unsigned software. The default acceptance levels ensure that only VMware-approved or trusted vendor-signed packages are installed, maintaining system integrity. By lowering this level, for example, to \u0026ldquo;CommunitySupported\u0026rdquo;, an attacker can introduce unsigned VIBs, potentially leading to persistent compromise, data exfiltration, or disruption of virtualized workloads. This activity is often observed post-compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the ESXi host is gained through an exploit or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to execute commands with \u003ccode\u003eshell\u003c/code\u003e access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eesxcli software acceptance set\u003c/code\u003e command to modify the VIB acceptance level, potentially setting it to \u003ccode\u003eCommunitySupported\u003c/code\u003e to allow unsigned VIBs.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a malicious VIB package onto the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe malicious VIB executes its payload, which could include installing a backdoor, modifying system configurations, or stealing data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by hiding the malicious VIB or creating scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised ESXi host to move laterally within the virtualized environment, targeting other virtual machines.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as deploying ransomware or exfiltrating sensitive data from the virtualized environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the VIB acceptance level can lead to the installation of malicious software on ESXi hosts, resulting in the compromise of virtual machines and the entire virtualized infrastructure. This can lead to data breaches, system instability, and significant operational disruption. The Black Basta ransomware group has been known to target ESXi environments, highlighting the importance of detecting this type of activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable ESXi syslog forwarding to a central log management system to capture relevant events (data_source: \u0026ldquo;VMWare ESXi Syslog\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eESXi VIB Acceptance Level Tampering\u003c/code\u003e to detect changes to the VIB acceptance level (rule: \u0026ldquo;ESXi VIB Acceptance Level Tampering\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor ESXi hosts for unusual process execution and file modifications, especially related to VIB installation (rule: \u0026ldquo;Suspicious ESXi VIB Installation\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of the \u003ccode\u003eesxcli software acceptance set\u003c/code\u003e command being used (rule: \u0026ldquo;ESXi VIB Acceptance Level Tampering\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-esxi-vib-tampering/","summary":"This detection identifies changes to the VIB (vSphere Installation Bundle) acceptance level on an ESXi host, potentially allowing the installation of unsigned or unverified software and lowering the system's integrity enforcement.","title":"ESXi VIB Acceptance Level Tampering Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-vib-tampering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["esxi","syslog","vmware","defense-evasion","t1562.003","t1690","black-basta"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of unauthorized or malicious changes to the syslog configuration of VMware ESXi hosts. Attackers may attempt to modify syslog settings to disable or redirect logging, thereby hindering incident response and forensic analysis. The specific technique involves using the \u003ccode\u003eesxcli\u003c/code\u003e command-line utility, a powerful tool for managing ESXi hosts. Successful modification of the syslog configuration allows attackers to operate with reduced visibility, potentially leading to prolonged compromise and data exfiltration. This activity can be an indicator of post-compromise activity, and has been observed in association with ransomware campaigns like Black Basta.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the ESXi host is achieved via compromised credentials or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ESXi host, potentially escalating privileges if necessary.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eesxcli\u003c/code\u003e to query the current syslog configuration to understand the existing setup.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eesxcli\u003c/code\u003e to modify the syslog configuration, potentially changing the remote host, protocol, or port.\u003c/li\u003e\n\u003cli\u003eThe attacker disables or redirects syslog forwarding to a malicious or attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the syslog configuration changes using \u003ccode\u003eesxcli\u003c/code\u003e or by observing the absence of logs at the original destination.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with other malicious activities, such as lateral movement, data exfiltration, or ransomware deployment, with reduced risk of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of ESXi syslog configurations can severely impair an organization\u0026rsquo;s ability to detect and respond to security incidents. This can lead to delayed detection of breaches, prolonged dwell time for attackers, and increased damage from ransomware or data theft. The consequences include significant financial losses, reputational damage, and regulatory penalties. The attack is observed being utilized post-compromise, to evade detection in ransomware campaigns like Black Basta.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable ESXi syslog forwarding to a centralized logging server and monitor for configuration changes as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eESXi Syslog Config Change\u003c/code\u003e to detect unauthorized modifications to the syslog configuration (rule ID: \u003ccode\u003eesxi_syslog_config_change\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for ESXi hosts and monitor for anomalous login activity to prevent initial access.\u003c/li\u003e\n\u003cli\u003eReview and harden ESXi host configurations according to VMware security best practices.\u003c/li\u003e\n\u003cli\u003eEnsure that the Splunk Technology Add-on for VMware ESXi Logs is properly configured to parse and ingest syslog data (see How To Implement).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-esxi-syslog-config-change/","summary":"Detection of ESXi syslog configuration changes via esxcli command, potentially indicating an attempt to disrupt logging and evade detection.","title":"ESXi Syslog Configuration Changes via esxcli","url":"https://feed.craftedsignal.io/briefs/2024-01-03-esxi-syslog-config-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["esxi","firewall","lateral_movement","data_exfiltration","ransomware","attack.defense_evasion"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eThe disabling of the ESXi firewall can expose critical infrastructure to significant risk. Threat actors often disable or weaken the ESXi firewall to facilitate lateral movement within the environment, enabling them to access sensitive data or install malicious software. This detection focuses on identifying instances where the ESXi firewall has been disabled, based on syslog data. The ESXi firewall is a critical component for securing the ESXi hypervisor, which is the foundation for virtualized environments. Disabling it creates a direct path for attackers to compromise the host and any virtual machines running on it. This activity can be associated with ransomware campaigns like Black Basta, and also China-Nexus threat activity, highlighting the diverse range of adversaries who may employ this technique.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e An attacker gains initial access to the network through various means, such as exploiting a vulnerability in a network service or through compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker escalates privileges to gain administrative access within the ESXi environment. This might involve exploiting vulnerabilities in the ESXi software or leveraging misconfigured permissions.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eFirewall Configuration Modification:\u003c/strong\u003e Using elevated privileges, the attacker disables the ESXi firewall or sets it to a permissive mode. This can be achieved via command-line tools or the vSphere client.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e With the firewall disabled, the attacker can now move laterally within the ESXi environment, accessing other virtual machines and ESXi hosts on the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker identifies and exfiltrates sensitive data from the compromised virtual machines. This data can include customer data, financial records, or intellectual property.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Installation:\u003c/strong\u003e The attacker installs malicious software, such as ransomware, on the compromised virtual machines or ESXi hosts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRansomware Deployment / System Corruption:\u003c/strong\u003e The installed ransomware encrypts the data on the compromised systems, rendering them inaccessible until a ransom is paid. Alternatively, the attacker may corrupt critical system files, causing system instability or failure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a complete compromise of the ESXi environment. Disabling the firewall can expose all virtual machines and ESXi hosts to unauthorized access, leading to data breaches, ransomware attacks, and significant disruption of services. Organizations that rely heavily on virtualization, such as cloud service providers and large enterprises, are particularly vulnerable. The impact could include significant financial losses, reputational damage, and legal liabilities.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure ESXi systems to forward syslog output to a SIEM and ensure it is ingested with the appropriate Splunk Technology Add-on for VMware ESXi Logs to enable the correlation of ESXi firewall status changes (reference: \u003ccode\u003eesxi_syslog\u003c/code\u003e data source).\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect instances where the ESXi firewall is disabled (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule promptly to determine the root cause and scope of the compromise (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eReview and harden ESXi security configurations to minimize the risk of unauthorized access and privilege escalation (reference: description).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all ESXi administrative accounts to prevent credential compromise (reference: description).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-esxi-firewall-disabled/","summary":"This detection identifies when the ESXi firewall is disabled or set to permissive mode, potentially exposing the host to unauthorized access and network-based attacks, often preceding lateral movement, data exfiltration, or malware installation.","title":"ESXi Firewall Disabled Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-firewall-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["esxi","encryption","vmware","hypervisor","attack.persistence"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eThis detection identifies unauthorized modifications to critical encryption settings on VMware ESXi hosts. Attackers may attempt to weaken hypervisor security by disabling settings such as secure boot or executable verification, allowing them to execute malicious code or compromise virtual machines. This activity is typically observed post-compromise, where the attacker has already gained privileged access to the ESXi host. The detection focuses on changes to encryption enforcement settings via ESXi syslog messages. Successfully weakening the hypervisor allows attackers to move laterally, compromise guest VMs, or establish persistent access to the environment. This is especially relevant in environments targeted by ransomware such as Black Basta.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains initial access to the ESXi host, potentially through exploiting a vulnerability or using compromised credentials.\u003c/li\u003e\n\u003cli\u003eAttacker elevates privileges to root or administrator level on the ESXi host.\u003c/li\u003e\n\u003cli\u003eAttacker modifies ESXi host configuration to disable secure boot using esxcli commands.\u003c/li\u003e\n\u003cli\u003eAttacker modifies ESXi host settings to allow execution of unsigned or unverified code, bypassing security controls.\u003c/li\u003e\n\u003cli\u003eAttacker deploys malicious tools or implants on the ESXi host, taking advantage of the weakened security posture.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised ESXi host as a pivot point to move laterally within the virtualized environment.\u003c/li\u003e\n\u003cli\u003eAttacker compromises guest virtual machines, potentially deploying ransomware or exfiltrating sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of ESXi encryption settings can lead to a significant compromise of the virtualized environment. Attackers can bypass security controls, execute unauthorized code, and potentially compromise all virtual machines hosted on the affected ESXi host. This can result in data theft, ransomware deployment, and disruption of critical services. This activity is linked to ESXi post-compromise scenarios and has been observed in connection with ransomware groups like Black Basta.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Syslog forwarding from ESXi hosts and ingest logs using the Splunk Technology Add-on for VMware ESXi Logs, as described in the \u0026ldquo;How to Implement\u0026rdquo; section of the source to ensure proper field extraction and CIM compatibility.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eESXi Encryption Settings Modified\u003c/code\u003e to your SIEM and tune based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by this rule, focusing on the \u003ccode\u003edest\u003c/code\u003e (destination) field to identify the affected ESXi host.\u003c/li\u003e\n\u003cli\u003eUse the drilldown searches provided to view detection results and risk events associated with the compromised ESXi host (\u003ccode\u003eView the detection results for - \u0026quot;$dest$\u0026quot;\u003c/code\u003e, \u003ccode\u003eView risk events for the last 7 days for - \u0026quot;$dest$\u0026quot;\u003c/code\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-esxi-encryption-modified/","summary":"Detection of modifications to ESXi host encryption settings, such as disabling secure boot or executable verification, which may indicate attempts to weaken hypervisor integrity and allow unauthorized code execution.","title":"ESXi Encryption Settings Modification","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-encryption-modified/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["esxi","vmware","syslog","anomaly","T1601.001","T1685","ESXi Post Compromise","Black Basta Ransomware","Infrastructure","endpoint"],"_cs_type":"advisory","_cs_vendors":["VMWare","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying failed file download attempts on VMware ESXi hosts by analyzing system logs for specific error messages. The errors may stem from unauthorized or malicious attempts to install or update components, such as VIBs (vSphere Installation Bundles) or scripts, potentially leading to system compromise or disruption. This is important for defenders because successful exploitation could result in the installation of malicious software, unauthorized modifications to the ESXi host, or even complete system takeover. The detection leverages ESXi syslog data and is designed to be implemented within a Splunk environment using the appropriate technology add-on for VMware ESXi Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system with the ability to interact with the ESXi host (e.g., through compromised credentials or a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to download a malicious VIB or script onto the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe ESXi host attempts to download the file from a remote location.\u003c/li\u003e\n\u003cli\u003eThe download fails due to network issues, file integrity checks, or access restrictions.\u003c/li\u003e\n\u003cli\u003eThe ESXi host logs an error message indicating the failed download attempt. Messages include \u0026ldquo;\u003cem\u003eDownload failed\u003c/em\u003e\u0026rdquo;, \u0026ldquo;\u003cem\u003eFailed to download file\u003c/em\u003e\u0026rdquo;, \u0026ldquo;\u003cem\u003eFile download error\u003c/em\u003e\u0026rdquo;, \u0026ldquo;\u003cem\u003eCould not download\u003c/em\u003e\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe system logs are forwarded to a SIEM such as Splunk for analysis.\u003c/li\u003e\n\u003cli\u003eA detection rule identifies the error message in the logs and triggers an alert.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation following a failed download attempt could lead to the installation of malicious software, unauthorized modification of the ESXi host configuration, or denial of service. While the detection identifies \u003cem\u003efailed\u003c/em\u003e download attempts, repeated failures or unusual patterns of failed downloads can indicate a persistent and potentially sophisticated attack. The impact could range from system instability to full compromise, depending on the attacker\u0026rsquo;s objectives and the vulnerabilities exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure ESXi hosts to forward syslog output to your Splunk deployment to collect the necessary log data.\u003c/li\u003e\n\u003cli\u003eInstall and configure the Splunk Technology Add-on for VMware ESXi Logs to ensure proper field extraction and CIM compatibility.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Splunk search query to identify ESXi download errors in your environment.\u003c/li\u003e\n\u003cli\u003eTune the detection logic and filter list (\u003ccode\u003eesxi_download_errors_filter\u003c/code\u003e) to reduce false positives based on your environment\u0026rsquo;s specific characteristics.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the detection to determine the root cause of the failed download attempts.\u003c/li\u003e\n\u003cli\u003eUse the drilldown searches to view detection results and risk events associated with the identified hosts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-esxi-download-errors/","summary":"Detection of failed file download attempts on ESXi hosts, potentially indicating unauthorized or malicious activity such as installing or updating components, including VIBs or scripts.","title":"ESXi Download Error Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-esxi-download-errors/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["vmware","esxi","audit-tampering","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eThis detection identifies attempts to tamper with audit records on VMware ESXi hosts. Attackers with administrative privileges on an ESXi host can use the \u003ccode\u003eesxcli system auditrecords\u003c/code\u003e command to modify or delete audit logs. This can be done either remotely or locally on the host, and is indicative of an attacker attempting to cover their tracks, evade detection, and hinder subsequent forensic investigations. Successfully tampering with audit logs allows malicious actors to operate undetected within the environment, potentially leading to long-term compromise and data exfiltration. This activity is particularly relevant in cases involving ransomware, such as Black Basta, where attackers may attempt to erase evidence of their lateral movement and payload deployment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system with privileges to access the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ESXi host, either locally or remotely, likely using compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the \u003ccode\u003eesxcli system auditrecords\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe command is used with parameters to modify existing audit records, such as deleting entries or changing timestamps.\u003c/li\u003e\n\u003cli\u003eThe attacker may target specific log entries related to their activities to erase evidence.\u003c/li\u003e\n\u003cli\u003eAfter tampering, the attacker continues their malicious activities (e.g., lateral movement, data exfiltration, or ransomware deployment) with reduced risk of detection.\u003c/li\u003e\n\u003cli\u003eThe absence of relevant audit logs impairs incident response and forensic analysis efforts.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering of ESXi audit records can severely hinder incident response and forensic analysis. Without accurate logs, security teams will struggle to determine the scope and timeline of an attack. In environments affected by ransomware like Black Basta, this can lead to delayed containment and increased data loss. The blurring of the attack timeline prevents recovery and remediation efforts. While there are no victim statistics available for this specific technique, the impact on affected organizations can be significant, resulting in financial losses, reputational damage, and regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Syslog on all ESXi hosts and forward logs to a centralized logging server to ensure logs are captured and retained even if local logs are tampered with.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;ESXi Audit Tampering Detection\u0026rdquo; to your SIEM to detect the usage of \u003ccode\u003eesxcli system auditrecords\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the source and destination of the command execution.\u003c/li\u003e\n\u003cli\u003eMonitor the risk score associated with the impacted systems using the \u003ccode\u003erisk_objects\u003c/code\u003e field in the report.\u003c/li\u003e\n\u003cli\u003eReview access controls and privileges assigned to ESXi hosts to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-esxi-audit-tampering/","summary":"Detection identifies the use of the esxcli system auditrecords commands to tamper with logging on an ESXi host, potentially evading detection and hindering forensic analysis.","title":"ESXi Audit Tampering Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-audit-tampering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["esxi","syslog","loghost","tampering","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eAttackers targeting VMware ESXi infrastructure may tamper with the syslog configuration to disable or redirect logging. This activity, often performed post-compromise, aims to hinder incident responders by preventing them from collecting crucial forensic data. This allows malicious actors to operate with less visibility, increasing the dwell time and impact of their attacks. This particular threat focuses on detecting modifications to \u003ccode\u003eSyslog.global.logHost\u003c/code\u003e and \u003ccode\u003eSyslog.global.logdir\u003c/code\u003e, key configuration parameters for syslog forwarding on ESXi hosts. The attack is detected using ESXi syslog data, typically ingested and processed using the Splunk Technology Add-on for VMware ESXi Logs. This can be part of ransomware campaigns like Black Basta.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the ESXi host is achieved through exploitation of a vulnerability, stolen credentials, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative access on the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the ESXi syslog configuration using esxcli commands or direct manipulation of configuration files. Specifically, \u003ccode\u003eSyslog.global.logHost\u003c/code\u003e (the syslog server) and \u003ccode\u003eSyslog.global.logdir\u003c/code\u003e (the log directory) are targeted.\u003c/li\u003e\n\u003cli\u003eThe attacker disables remote syslog forwarding by setting \u003ccode\u003eSyslog.global.logHost\u003c/code\u003e to an invalid or inaccessible address. Alternatively, they might redirect logs to a location they control.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the log directory by altering the value of \u003ccode\u003eSyslog.global.logdir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker then proceeds with their primary objective, such as deploying ransomware or exfiltrating sensitive data, under reduced scrutiny.\u003c/li\u003e\n\u003cli\u003eIncident responders find difficulty in reconstructing the attack timeline due to missing or incomplete log data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering with ESXi loghost configurations can significantly impair an organization\u0026rsquo;s ability to detect and respond to security incidents. By disrupting log forwarding, attackers can effectively blind security teams, allowing them to operate undetected for extended periods. This can lead to delayed detection of ransomware deployments, data breaches, and other malicious activities, increasing the potential for financial loss, reputational damage, and operational disruption. ESXi Post Compromise can lead to Black Basta Ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect ESXi loghost configuration tampering and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eConfigure your ESXi systems to forward syslog output to a centralized logging server and ingest using the Splunk Technology Add-on for VMware ESXi Logs as specified in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the source ESXi host (\u003ccode\u003edest\u003c/code\u003e) and the modified loghost configuration values.\u003c/li\u003e\n\u003cli\u003eMonitor ESXi host configuration changes for unexpected modifications to the syslog settings.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and multi-factor authentication for ESXi hosts to prevent unauthorized configuration changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-esxi-loghost-tampering/","summary":"An attacker modifies the ESXi host's syslog configuration to disrupt log forwarding, potentially evading detection and hindering incident response.","title":"ESXi Loghost Configuration Tampering","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-loghost-tampering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["esxi","vmware","lockdown_mode","security_controls"],"_cs_type":"advisory","_cs_vendors":["VMWare","Splunk"],"content_html":"\u003cp\u003eThis detection identifies when Lockdown Mode is disabled on an ESXi host. Threat actors might disable this mode to weaken host security controls, allowing broader remote access via SSH or the host client. This action could be a precursor to further malicious activities such as data exfiltration, lateral movement within the environment, or tampering with virtual machines. Identifying this activity is crucial as it signifies a potential compromise of the ESXi host, which could lead to significant disruption and data loss. The detection logic is based on ESXi Syslog data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the ESXi host, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command to disable Lockdown Mode. This may be done through the vSphere client or directly via SSH if enabled.\u003c/li\u003e\n\u003cli\u003eThe ESXi host logs the event of Lockdown Mode being disabled within its syslog.\u003c/li\u003e\n\u003cli\u003eWith Lockdown Mode disabled, the attacker gains broader access to the host\u0026rsquo;s management interfaces.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, gathering information about the host and its virtual machines.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems within the environment, leveraging the compromised ESXi host.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or manipulates virtual machines, achieving their final objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling Lockdown Mode can lead to a complete compromise of the ESXi host and the virtual machines it manages. This can result in data exfiltration, data corruption, or the deployment of ransomware on the virtual machines. Depending on the environment, this can affect hundreds or thousands of virtual machines, potentially disrupting critical business operations. The \u0026ldquo;Black Basta Ransomware\u0026rdquo; analytic story is related to this threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure ESXi hosts to forward syslog output to a SIEM or log aggregation system to enable detection of this activity, as detailed in the \u0026ldquo;How to Implement\u0026rdquo; section of the source.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eESXi Lockdown Mode Disabled\u003c/code\u003e to your SIEM to detect instances where Lockdown Mode is disabled on ESXi hosts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eESXi Lockdown Mode Disabled\u003c/code\u003e to determine the root cause and scope of the potential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor ESXi syslog for messages indicating changes to host security configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-esxi-lockdown-disabled/","summary":"The disabling of Lockdown Mode on an ESXi host may indicate a threat actor attempting to weaken host security controls to enable broader remote access for data exfiltration, lateral movement, or VM tampering.","title":"ESXi Lockdown Mode Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-lockdown-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Esxi","version":"https://jsonfeed.org/version/1.1"}