{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/loghost/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["esxi","syslog","loghost","tampering","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eAttackers targeting VMware ESXi infrastructure may tamper with the syslog configuration to disable or redirect logging. This activity, often performed post-compromise, aims to hinder incident responders by preventing them from collecting crucial forensic data. This allows malicious actors to operate with less visibility, increasing the dwell time and impact of their attacks. This particular threat focuses on detecting modifications to \u003ccode\u003eSyslog.global.logHost\u003c/code\u003e and \u003ccode\u003eSyslog.global.logdir\u003c/code\u003e, key configuration parameters for syslog forwarding on ESXi hosts. The attack is detected using ESXi syslog data, typically ingested and processed using the Splunk Technology Add-on for VMware ESXi Logs. This can be part of ransomware campaigns like Black Basta.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the ESXi host is achieved through exploitation of a vulnerability, stolen credentials, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative access on the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the ESXi syslog configuration using esxcli commands or direct manipulation of configuration files. Specifically, \u003ccode\u003eSyslog.global.logHost\u003c/code\u003e (the syslog server) and \u003ccode\u003eSyslog.global.logdir\u003c/code\u003e (the log directory) are targeted.\u003c/li\u003e\n\u003cli\u003eThe attacker disables remote syslog forwarding by setting \u003ccode\u003eSyslog.global.logHost\u003c/code\u003e to an invalid or inaccessible address. Alternatively, they might redirect logs to a location they control.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the log directory by altering the value of \u003ccode\u003eSyslog.global.logdir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker then proceeds with their primary objective, such as deploying ransomware or exfiltrating sensitive data, under reduced scrutiny.\u003c/li\u003e\n\u003cli\u003eIncident responders find difficulty in reconstructing the attack timeline due to missing or incomplete log data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering with ESXi loghost configurations can significantly impair an organization\u0026rsquo;s ability to detect and respond to security incidents. By disrupting log forwarding, attackers can effectively blind security teams, allowing them to operate undetected for extended periods. This can lead to delayed detection of ransomware deployments, data breaches, and other malicious activities, increasing the potential for financial loss, reputational damage, and operational disruption. ESXi Post Compromise can lead to Black Basta Ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect ESXi loghost configuration tampering and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eConfigure your ESXi systems to forward syslog output to a centralized logging server and ingest using the Splunk Technology Add-on for VMware ESXi Logs as specified in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the source ESXi host (\u003ccode\u003edest\u003c/code\u003e) and the modified loghost configuration values.\u003c/li\u003e\n\u003cli\u003eMonitor ESXi host configuration changes for unexpected modifications to the syslog settings.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and multi-factor authentication for ESXi hosts to prevent unauthorized configuration changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-esxi-loghost-tampering/","summary":"An attacker modifies the ESXi host's syslog configuration to disrupt log forwarding, potentially evading detection and hindering incident response.","title":"ESXi Loghost Configuration Tampering","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-loghost-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed — Loghost","version":"https://jsonfeed.org/version/1.1"}