{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/t1690/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["esxi","syslog","vmware","defense-evasion","t1562.003","t1690","black-basta"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of unauthorized or malicious changes to the syslog configuration of VMware ESXi hosts. Attackers may attempt to modify syslog settings to disable or redirect logging, thereby hindering incident response and forensic analysis. The specific technique involves using the \u003ccode\u003eesxcli\u003c/code\u003e command-line utility, a powerful tool for managing ESXi hosts. Successful modification of the syslog configuration allows attackers to operate with reduced visibility, potentially leading to prolonged compromise and data exfiltration. This activity can be an indicator of post-compromise activity, and has been observed in association with ransomware campaigns like Black Basta.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the ESXi host is achieved via compromised credentials or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ESXi host, potentially escalating privileges if necessary.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eesxcli\u003c/code\u003e to query the current syslog configuration to understand the existing setup.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003eesxcli\u003c/code\u003e to modify the syslog configuration, potentially changing the remote host, protocol, or port.\u003c/li\u003e\n\u003cli\u003eThe attacker disables or redirects syslog forwarding to a malicious or attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker verifies the syslog configuration changes using \u003ccode\u003eesxcli\u003c/code\u003e or by observing the absence of logs at the original destination.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with other malicious activities, such as lateral movement, data exfiltration, or ransomware deployment, with reduced risk of detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of ESXi syslog configurations can severely impair an organization\u0026rsquo;s ability to detect and respond to security incidents. This can lead to delayed detection of breaches, prolonged dwell time for attackers, and increased damage from ransomware or data theft. The consequences include significant financial losses, reputational damage, and regulatory penalties. The attack is observed being utilized post-compromise, to evade detection in ransomware campaigns like Black Basta.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable ESXi syslog forwarding to a centralized logging server and monitor for configuration changes as described in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u003ccode\u003eESXi Syslog Config Change\u003c/code\u003e to detect unauthorized modifications to the syslog configuration (rule ID: \u003ccode\u003eesxi_syslog_config_change\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies for ESXi hosts and monitor for anomalous login activity to prevent initial access.\u003c/li\u003e\n\u003cli\u003eReview and harden ESXi host configurations according to VMware security best practices.\u003c/li\u003e\n\u003cli\u003eEnsure that the Splunk Technology Add-on for VMware ESXi Logs is properly configured to parse and ingest syslog data (see How To Implement).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-03-esxi-syslog-config-change/","summary":"Detection of ESXi syslog configuration changes via esxcli command, potentially indicating an attempt to disrupt logging and evade detection.","title":"ESXi Syslog Configuration Changes via esxcli","url":"https://feed.craftedsignal.io/briefs/2024-01-03-esxi-syslog-config-change/"}],"language":"en","title":"CraftedSignal Threat Feed — T1690","version":"https://jsonfeed.org/version/1.1"}