{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/shell-access/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ESXi"],"_cs_severities":["medium"],"_cs_tags":["esxi","vmware","shell-access","lateral-movement"],"_cs_type":"advisory","_cs_vendors":["VMware"],"content_html":"\u003cp\u003eThis detection focuses on identifying when the ESXi Shell is enabled on a VMware ESXi host. Enabling the ESXi Shell outside of scheduled maintenance or approved troubleshooting activities can be indicative of malicious behavior. An attacker might enable the shell to gain local command execution, move laterally within the ESXi environment, or establish persistent access. The alert is triggered by analyzing syslog data generated by ESXi hosts, which needs to be properly configured and ingested into the security information and event management (SIEM) system. While legitimate administrators might enable the shell for troubleshooting, such instances should be rare and carefully monitored. The association with \u0026quot;ESXi Post Compromise\u0026quot; and \u0026quot;Black Basta Ransomware\u0026quot; analytic stories suggests the potential for this activity to precede or accompany more severe attacks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Compromise:\u003c/strong\u003e The attacker gains initial access to the ESXi host, potentially through exploiting a vulnerability (not specified) or compromised credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation (if needed):\u003c/strong\u003e The attacker escalates privileges to an account capable of enabling the ESXi shell.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eESXi Shell Enabled:\u003c/strong\u003e The attacker enables the ESXi Shell, gaining local command-line access to the host. This action is logged in syslog.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance:\u003c/strong\u003e Using the ESXi Shell, the attacker performs reconnaissance to discover network configurations, stored credentials, and other ESXi hosts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e The attacker leverages gathered credentials or exploits to move laterally to other ESXi hosts or virtual machines within the environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence:\u003c/strong\u003e The attacker establishes persistence mechanisms within the ESXi host, such as creating malicious cron jobs or modifying startup scripts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration or Encryption:\u003c/strong\u003e The attacker exfiltrates sensitive data from virtual machines or deploys ransomware to encrypt virtual machine data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact:\u003c/strong\u003e The attack results in data loss, system downtime, or financial loss due to ransomware demands.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising an ESXi host can lead to severe consequences, including the loss of control over virtual machines, data breaches, and significant business disruption. The \u0026quot;ESXi Post Compromise\u0026quot; and \u0026quot;Black Basta Ransomware\u0026quot; analytic stories highlights the potential for this activity to lead to full-scale ransomware deployment. The lack of specific victim numbers or sector targeting makes it difficult to quantify the exact impact, but the criticality of ESXi hosts within an infrastructure suggests a high-impact scenario.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure ESXi hosts to forward syslog output to your SIEM as described in the \u0026quot;How to Implement\u0026quot; section of the source to enable detection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eESXi Shell Access Enabled\u003c/code\u003e to your SIEM and tune the \u003ccode\u003eesxi_shell_access_enabled_filter\u003c/code\u003e macro based on your environment to reduce false positives.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances where the ESXi Shell is enabled outside of approved maintenance windows by reviewing the logs identified by the \u003ccode\u003eESXi Shell Access Enabled\u003c/code\u003e rule.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected processes or network connections originating from ESXi hosts to identify potential post-compromise activity using the \u003ccode\u003eDetect Outbound Connection from ESXi Host\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication for all ESXi host access to mitigate credential compromise during initial access (TA0001).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-esxi-shell-enabled/","summary":"The ESXi Shell being enabled on a host may indicate malicious activity like preparing to execute commands locally or establishing persistent access.","title":"ESXi Shell Enabled Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-esxi-shell-enabled/"}],"language":"en","title":"CraftedSignal Threat Feed - Shell-Access","version":"https://jsonfeed.org/version/1.1"}