{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/syslog/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["esxi","syslog","vmware","defense-evasion","t1562.003","t1690","black-basta"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of unauthorized or malicious changes to the syslog configuration of VMware ESXi hosts. Attackers may attempt to modify syslog settings to disable or redirect logging, thereby hindering incident response and forensic analysis. The specific technique involves using the \u003ccode\u003eesxcli\u003c/code\u003e command-line utility, a powerful tool for managing ESXi hosts. Successful modification of the syslog configuration allows attackers to operate with reduced visibility, potentially leading to prolonged compromise and data exfiltration. This activity can be an indicator of post-compromise activity, and has been observed in association with ransomware campaigns like Black Basta.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the ESXi host is achieved via compromised credentials or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ESXi host, potentially escalating privileges if necessary.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eesxcli\u003c/code\u003e to query the current syslog configuration to understand the existing setup.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eesxcli\u003c/code\u003e to modify the syslog configuration, potentially changing the remote host, protocol, or port.\u003c/li\u003e\n\u003cli\u003eThe attacker disables or redirects syslog forwarding to a malicious or attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the syslog configuration changes using \u003ccode\u003eesxcli\u003c/code\u003e or by observing the absence of logs at the original destination.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with other malicious activities, such as lateral movement, data exfiltration, or ransomware deployment, with reduced risk of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of ESXi syslog configurations can severely impair an organization\u0026rsquo;s ability to detect and respond to security incidents. This can lead to delayed detection of breaches, prolonged dwell time for attackers, and increased damage from ransomware or data theft. The consequences include significant financial losses, reputational damage, and regulatory penalties. The attack is observed being utilized post-compromise, to evade detection in ransomware campaigns like Black Basta.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable ESXi syslog forwarding to a centralized logging server and monitor for configuration changes as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eESXi Syslog Config Change\u003c/code\u003e to detect unauthorized modifications to the syslog configuration (rule ID: \u003ccode\u003eesxi_syslog_config_change\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for ESXi hosts and monitor for anomalous login activity to prevent initial access.\u003c/li\u003e\n\u003cli\u003eReview and harden ESXi host configurations according to VMware security best practices.\u003c/li\u003e\n\u003cli\u003eEnsure that the Splunk Technology Add-on for VMware ESXi Logs is properly configured to parse and ingest syslog data (see How To Implement).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-esxi-syslog-config-change/","summary":"Detection of ESXi syslog configuration changes via esxcli command, potentially indicating an attempt to disrupt logging and evade detection.","title":"ESXi Syslog Configuration Changes via esxcli","url":"https://feed.craftedsignal.io/briefs/2024-01-03-esxi-syslog-config-change/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["medium"],"_cs_tags":["esxi","vmware","syslog","anomaly","T1601.001","T1685","ESXi Post Compromise","Black Basta Ransomware","Infrastructure","endpoint"],"_cs_type":"advisory","_cs_vendors":["VMWare","Splunk"],"content_html":"\u003cp\u003eThis detection focuses on identifying failed file download attempts on VMware ESXi hosts by analyzing system logs for specific error messages. The errors may stem from unauthorized or malicious attempts to install or update components, such as VIBs (vSphere Installation Bundles) or scripts, potentially leading to system compromise or disruption. This is important for defenders because successful exploitation could result in the installation of malicious software, unauthorized modifications to the ESXi host, or even complete system takeover. The detection leverages ESXi syslog data and is designed to be implemented within a Splunk environment using the appropriate technology add-on for VMware ESXi Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to a system with the ability to interact with the ESXi host (e.g., through compromised credentials or a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to download a malicious VIB or script onto the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe ESXi host attempts to download the file from a remote location.\u003c/li\u003e\n\u003cli\u003eThe download fails due to network issues, file integrity checks, or access restrictions.\u003c/li\u003e\n\u003cli\u003eThe ESXi host logs an error message indicating the failed download attempt. Messages include \u0026ldquo;\u003cem\u003eDownload failed\u003c/em\u003e\u0026rdquo;, \u0026ldquo;\u003cem\u003eFailed to download file\u003c/em\u003e\u0026rdquo;, \u0026ldquo;\u003cem\u003eFile download error\u003c/em\u003e\u0026rdquo;, \u0026ldquo;\u003cem\u003eCould not download\u003c/em\u003e\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eThe system logs are forwarded to a SIEM such as Splunk for analysis.\u003c/li\u003e\n\u003cli\u003eA detection rule identifies the error message in the logs and triggers an alert.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation following a failed download attempt could lead to the installation of malicious software, unauthorized modification of the ESXi host configuration, or denial of service. While the detection identifies \u003cem\u003efailed\u003c/em\u003e download attempts, repeated failures or unusual patterns of failed downloads can indicate a persistent and potentially sophisticated attack. The impact could range from system instability to full compromise, depending on the attacker\u0026rsquo;s objectives and the vulnerabilities exploited.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure ESXi hosts to forward syslog output to your Splunk deployment to collect the necessary log data.\u003c/li\u003e\n\u003cli\u003eInstall and configure the Splunk Technology Add-on for VMware ESXi Logs to ensure proper field extraction and CIM compatibility.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Splunk search query to identify ESXi download errors in your environment.\u003c/li\u003e\n\u003cli\u003eTune the detection logic and filter list (\u003ccode\u003eesxi_download_errors_filter\u003c/code\u003e) to reduce false positives based on your environment\u0026rsquo;s specific characteristics.\u003c/li\u003e\n\u003cli\u003eInvestigate alerts generated by the detection to determine the root cause of the failed download attempts.\u003c/li\u003e\n\u003cli\u003eUse the drilldown searches to view detection results and risk events associated with the identified hosts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-esxi-download-errors/","summary":"Detection of failed file download attempts on ESXi hosts, potentially indicating unauthorized or malicious activity such as installing or updating components, including VIBs or scripts.","title":"ESXi Download Error Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-esxi-download-errors/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["esxi","syslog","loghost","tampering","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eAttackers targeting VMware ESXi infrastructure may tamper with the syslog configuration to disable or redirect logging. This activity, often performed post-compromise, aims to hinder incident responders by preventing them from collecting crucial forensic data. This allows malicious actors to operate with less visibility, increasing the dwell time and impact of their attacks. This particular threat focuses on detecting modifications to \u003ccode\u003eSyslog.global.logHost\u003c/code\u003e and \u003ccode\u003eSyslog.global.logdir\u003c/code\u003e, key configuration parameters for syslog forwarding on ESXi hosts. The attack is detected using ESXi syslog data, typically ingested and processed using the Splunk Technology Add-on for VMware ESXi Logs. This can be part of ransomware campaigns like Black Basta.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the ESXi host is achieved through exploitation of a vulnerability, stolen credentials, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative access on the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the ESXi syslog configuration using esxcli commands or direct manipulation of configuration files. Specifically, \u003ccode\u003eSyslog.global.logHost\u003c/code\u003e (the syslog server) and \u003ccode\u003eSyslog.global.logdir\u003c/code\u003e (the log directory) are targeted.\u003c/li\u003e\n\u003cli\u003eThe attacker disables remote syslog forwarding by setting \u003ccode\u003eSyslog.global.logHost\u003c/code\u003e to an invalid or inaccessible address. Alternatively, they might redirect logs to a location they control.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the log directory by altering the value of \u003ccode\u003eSyslog.global.logdir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker then proceeds with their primary objective, such as deploying ransomware or exfiltrating sensitive data, under reduced scrutiny.\u003c/li\u003e\n\u003cli\u003eIncident responders find difficulty in reconstructing the attack timeline due to missing or incomplete log data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering with ESXi loghost configurations can significantly impair an organization\u0026rsquo;s ability to detect and respond to security incidents. By disrupting log forwarding, attackers can effectively blind security teams, allowing them to operate undetected for extended periods. This can lead to delayed detection of ransomware deployments, data breaches, and other malicious activities, increasing the potential for financial loss, reputational damage, and operational disruption. ESXi Post Compromise can lead to Black Basta Ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect ESXi loghost configuration tampering and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eConfigure your ESXi systems to forward syslog output to a centralized logging server and ingest using the Splunk Technology Add-on for VMware ESXi Logs as specified in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the source ESXi host (\u003ccode\u003edest\u003c/code\u003e) and the modified loghost configuration values.\u003c/li\u003e\n\u003cli\u003eMonitor ESXi host configuration changes for unexpected modifications to the syslog settings.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and multi-factor authentication for ESXi hosts to prevent unauthorized configuration changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-esxi-loghost-tampering/","summary":"An attacker modifies the ESXi host's syslog configuration to disrupt log forwarding, potentially evading detection and hindering incident response.","title":"ESXi Loghost Configuration Tampering","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-loghost-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed — Syslog","version":"https://jsonfeed.org/version/1.1"}