https://feed.craftedsignal.io/tags/syslog/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-03-esxi-syslog-config-change/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-esxi-syslog-config-change/Detection of ESXi syslog configuration changes via esxcli command, potentially indicating an attempt to disrupt logging and evade detection.This threat brief focuses on the detection of unauthorized or malicious changes to the syslog configuration of VMware ESXi hosts. Attackers may attempt to modify syslog settings to disable or redirect logging, thereby hindering incident response and forensic analysis. The specific technique involves using the esxcli command-line utility, a powerful tool for managing ESXi hosts. Successful modification of the syslog configuration allows attackers to operate with reduced visibility, potentially leading to prolonged compromise and data exfiltration. This activity can be an indicator of post-compromise activity, and has been observed in association with ransomware campaigns like Black Basta.

Attack Chain

1. Initial access to the ESXi host is achieved via compromised credentials or exploitation of a vulnerability.
2. The attacker authenticates to the ESXi host, potentially escalating privileges if necessary.
3. The attacker uses esxcli to query the current syslog configuration to understand the existing setup.
4. The attacker uses esxcli to modify the syslog configuration, potentially changing the remote host, protocol, or port.
5. The attacker disables or redirects syslog forwarding to a malicious or attacker-controlled server.
6. The attacker verifies the syslog configuration changes using esxcli or by observing the absence of logs at the original destination.
7. The attacker proceeds with other malicious activities, such as lateral movement, data exfiltration, or ransomware deployment, with reduced risk of detection.

Impact

Successful modification of ESXi syslog configurations can severely impair an organization’s ability to detect and respond to security incidents. This can lead to delayed detection of breaches, prolonged dwell time for attackers, and increased damage from ransomware or data theft. The consequences include significant financial losses, reputational damage, and regulatory penalties. The attack is observed being utilized post-compromise, to evade detection in ransomware campaigns like Black Basta.

Recommendation

• Enable ESXi syslog forwarding to a centralized logging server and monitor for configuration changes as described in the overview.
• Deploy the provided Sigma rule ESXi Syslog Config Change to detect unauthorized modifications to the syslog configuration (rule ID: esxi_syslog_config_change).
• Implement strict access control policies for ESXi hosts and monitor for anomalous login activity to prevent initial access.
• Review and harden ESXi host configurations according to VMware security best practices.
• Ensure that the Splunk Technology Add-on for VMware ESXi Logs is properly configured to parse and ingest syslog data (see How To Implement).

]]>highadvisoryesxisyslogvmwaredefense-evasiont1562.003t1690black-bastahttps://feed.craftedsignal.io/briefs/2024-01-03-esxi-download-errors/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-esxi-download-errors/Detection of failed file download attempts on ESXi hosts, potentially indicating unauthorized or malicious activity such as installing or updating components, including VIBs or scripts.This detection focuses on identifying failed file download attempts on VMware ESXi hosts by analyzing system logs for specific error messages. The errors may stem from unauthorized or malicious attempts to install or update components, such as VIBs (vSphere Installation Bundles) or scripts, potentially leading to system compromise or disruption. This is important for defenders because successful exploitation could result in the installation of malicious software, unauthorized modifications to the ESXi host, or even complete system takeover. The detection leverages ESXi syslog data and is designed to be implemented within a Splunk environment using the appropriate technology add-on for VMware ESXi Logs.

Attack Chain

1. The attacker gains initial access to a system with the ability to interact with the ESXi host (e.g., through compromised credentials or a vulnerability).
2. The attacker attempts to download a malicious VIB or script onto the ESXi host.
3. The ESXi host attempts to download the file from a remote location.
4. The download fails due to network issues, file integrity checks, or access restrictions.
5. The ESXi host logs an error message indicating the failed download attempt. Messages include “Download failed”, “Failed to download file”, “File download error”, “Could not download”.
6. The system logs are forwarded to a SIEM such as Splunk for analysis.
7. A detection rule identifies the error message in the logs and triggers an alert.

Impact

Successful exploitation following a failed download attempt could lead to the installation of malicious software, unauthorized modification of the ESXi host configuration, or denial of service. While the detection identifies failed download attempts, repeated failures or unusual patterns of failed downloads can indicate a persistent and potentially sophisticated attack. The impact could range from system instability to full compromise, depending on the attacker’s objectives and the vulnerabilities exploited.

Recommendation

• Configure ESXi hosts to forward syslog output to your Splunk deployment to collect the necessary log data.
• Install and configure the Splunk Technology Add-on for VMware ESXi Logs to ensure proper field extraction and CIM compatibility.
• Deploy the provided Splunk search query to identify ESXi download errors in your environment.
• Tune the detection logic and filter list (esxi_download_errors_filter) to reduce false positives based on your environment’s specific characteristics.
• Investigate alerts generated by the detection to determine the root cause of the failed download attempts.
• Use the drilldown searches to view detection results and risk events associated with the identified hosts.

]]>mediumadvisoryesxivmwaresysloganomalyT1601.001T1685ESXi Post CompromiseBlack Basta RansomwareInfrastructureendpointhttps://feed.craftedsignal.io/briefs/2024-01-esxi-loghost-tampering/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-esxi-loghost-tampering/An attacker modifies the ESXi host's syslog configuration to disrupt log forwarding, potentially evading detection and hindering incident response.Attackers targeting VMware ESXi infrastructure may tamper with the syslog configuration to disable or redirect logging. This activity, often performed post-compromise, aims to hinder incident responders by preventing them from collecting crucial forensic data. This allows malicious actors to operate with less visibility, increasing the dwell time and impact of their attacks. This particular threat focuses on detecting modifications to Syslog.global.logHost and Syslog.global.logdir, key configuration parameters for syslog forwarding on ESXi hosts. The attack is detected using ESXi syslog data, typically ingested and processed using the Splunk Technology Add-on for VMware ESXi Logs. This can be part of ransomware campaigns like Black Basta.

Attack Chain

1. Initial access to the ESXi host is achieved through exploitation of a vulnerability, stolen credentials, or other means.
2. The attacker escalates privileges to gain administrative access on the ESXi host.
3. The attacker modifies the ESXi syslog configuration using esxcli commands or direct manipulation of configuration files. Specifically, Syslog.global.logHost (the syslog server) and Syslog.global.logdir (the log directory) are targeted.
4. The attacker disables remote syslog forwarding by setting Syslog.global.logHost to an invalid or inaccessible address. Alternatively, they might redirect logs to a location they control.
5. The attacker modifies the log directory by altering the value of Syslog.global.logdir.
6. The attacker then proceeds with their primary objective, such as deploying ransomware or exfiltrating sensitive data, under reduced scrutiny.
7. Incident responders find difficulty in reconstructing the attack timeline due to missing or incomplete log data.

Impact

Successful tampering with ESXi loghost configurations can significantly impair an organization’s ability to detect and respond to security incidents. By disrupting log forwarding, attackers can effectively blind security teams, allowing them to operate undetected for extended periods. This can lead to delayed detection of ransomware deployments, data breaches, and other malicious activities, increasing the potential for financial loss, reputational damage, and operational disruption. ESXi Post Compromise can lead to Black Basta Ransomware deployment.

Recommendation

• Deploy the provided Sigma rules to your SIEM to detect ESXi loghost configuration tampering and tune them for your environment.
• Configure your ESXi systems to forward syslog output to a centralized logging server and ingest using the Splunk Technology Add-on for VMware ESXi Logs as specified in the “how_to_implement” section.
• Investigate any alerts generated by the Sigma rules, focusing on the source ESXi host (dest) and the modified loghost configuration values.
• Monitor ESXi host configuration changes for unexpected modifications to the syslog settings.
• Implement strict access controls and multi-factor authentication for ESXi hosts to prevent unauthorized configuration changes.

]]>highadvisoryesxisyslogloghosttamperingdefense-evasion