{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/tampering/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Sysmon","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["defense-evasion","eventlog","registry","tampering"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Splunk"],"content_html":"\u003cp\u003eAttackers may target the Windows EventLog service to evade detection by manipulating security descriptors and access permissions. By modifying the \u0026lsquo;CustomSD\u0026rsquo; value within the EventLog channel\u0026rsquo;s registry key, adversaries can restrict access to event logs, preventing security products and administrators from collecting and analyzing crucial security data. This can effectively blind security tools, allowing attackers to operate undetected within the compromised environment. The tampering of the Security Descriptor Definition Language (SDDL) strings is a critical indicator of potential malicious activity that warrants immediate investigation. The detection focuses on changes to the \u0026ldquo;CustomSD\u0026rdquo; value within the \u0026ldquo;HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Eventlog\u0026lt;Channel\u0026gt;\\CustomSD\u0026rdquo; path.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the system through various means (e.g., phishing, exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to obtain necessary permissions to modify the registry.\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the registry key \u003ccode\u003eHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Eventlog\\\u0026lt;Channel\u0026gt;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the \u003ccode\u003eCustomSD\u003c/code\u003e value within the registry key.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eCustomSD\u003c/code\u003e value, altering the security descriptor for the EventLog channel using tools like \u003ccode\u003ereg.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003eThe attacker restricts access to the EventLog channel by modifying the SDDL string.\u003c/li\u003e\n\u003cli\u003eSecurity products and administrators are now unable to collect or analyze event logs from the tampered channel.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities without being logged, achieving persistence and evading detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful manipulation of EventLog security descriptors can severely impair an organization\u0026rsquo;s ability to detect and respond to security incidents. By restricting access to event logs, attackers can effectively blind security tools, allowing them to operate undetected. This can lead to prolonged compromises, data breaches, and other forms of significant damage. This form of tampering directly hinders incident response and forensic investigations, potentially affecting hundreds or thousands of systems depending on the scope of the attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect EventLog SDDL Tampering\u003c/code\u003e to your SIEM to detect modifications to the EventLog security descriptor registry value.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 13 logging to capture registry modifications as required by the Sigma rule\u0026rsquo;s log source.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eDetect EventLog SDDL Tampering\u003c/code\u003e Sigma rule, focusing on the affected host and user.\u003c/li\u003e\n\u003cli\u003eMonitor for unexpected or unauthorized processes modifying the registry key \u003ccode\u003eHKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Eventlog\\\u0026lt;Channel\u0026gt;\\CustomSD\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eImplement the Sysmon TA to ensure proper data ingestion of Event ID 13 (registry modifications).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-eventlog-sd-tampering/","summary":"This analytic detects suspicious modifications to the EventLog security descriptor registry value, specifically the 'CustomSD' value, within the registry path 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Eventlog\\\u003cChannel\u003e\\CustomSD', which can be used for defense evasion by attackers.","title":"Windows EventLog Security Descriptor Tampering","url":"https://feed.craftedsignal.io/briefs/2024-01-eventlog-sd-tampering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["vmware","esxi","vib","tampering","post-compromise","ransomware"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting tampering with the vSphere Installation Bundle (VIB) acceptance level on ESXi hosts. Attackers may attempt to modify the VIB acceptance level, typically using the \u003ccode\u003eesxcli software acceptance set\u003c/code\u003e command, to bypass security controls and install malicious or unsigned software. The default acceptance levels ensure that only VMware-approved or trusted vendor-signed packages are installed, maintaining system integrity. By lowering this level, for example, to \u0026ldquo;CommunitySupported\u0026rdquo;, an attacker can introduce unsigned VIBs, potentially leading to persistent compromise, data exfiltration, or disruption of virtualized workloads. This activity is often observed post-compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the ESXi host is gained through an exploit or stolen credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to execute commands with \u003ccode\u003eshell\u003c/code\u003e access.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the \u003ccode\u003eesxcli software acceptance set\u003c/code\u003e command to modify the VIB acceptance level, potentially setting it to \u003ccode\u003eCommunitySupported\u003c/code\u003e to allow unsigned VIBs.\u003c/li\u003e\n\u003cli\u003eThe attacker installs a malicious VIB package onto the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe malicious VIB executes its payload, which could include installing a backdoor, modifying system configurations, or stealing data.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to maintain persistence by hiding the malicious VIB or creating scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised ESXi host to move laterally within the virtualized environment, targeting other virtual machines.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as deploying ransomware or exfiltrating sensitive data from the virtualized environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the VIB acceptance level can lead to the installation of malicious software on ESXi hosts, resulting in the compromise of virtual machines and the entire virtualized infrastructure. This can lead to data breaches, system instability, and significant operational disruption. The Black Basta ransomware group has been known to target ESXi environments, highlighting the importance of detecting this type of activity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable ESXi syslog forwarding to a central log management system to capture relevant events (data_source: \u0026ldquo;VMWare ESXi Syslog\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eESXi VIB Acceptance Level Tampering\u003c/code\u003e to detect changes to the VIB acceptance level (rule: \u0026ldquo;ESXi VIB Acceptance Level Tampering\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eMonitor ESXi hosts for unusual process execution and file modifications, especially related to VIB installation (rule: \u0026ldquo;Suspicious ESXi VIB Installation\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of the \u003ccode\u003eesxcli software acceptance set\u003c/code\u003e command being used (rule: \u0026ldquo;ESXi VIB Acceptance Level Tampering\u0026rdquo;).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-esxi-vib-tampering/","summary":"This detection identifies changes to the VIB (vSphere Installation Bundle) acceptance level on an ESXi host, potentially allowing the installation of unsigned or unverified software and lowering the system's integrity enforcement.","title":"ESXi VIB Acceptance Level Tampering Detection","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-vib-tampering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["esxi","syslog","loghost","tampering","defense-evasion"],"_cs_type":"advisory","_cs_vendors":["VMware","Splunk"],"content_html":"\u003cp\u003eAttackers targeting VMware ESXi infrastructure may tamper with the syslog configuration to disable or redirect logging. This activity, often performed post-compromise, aims to hinder incident responders by preventing them from collecting crucial forensic data. This allows malicious actors to operate with less visibility, increasing the dwell time and impact of their attacks. This particular threat focuses on detecting modifications to \u003ccode\u003eSyslog.global.logHost\u003c/code\u003e and \u003ccode\u003eSyslog.global.logdir\u003c/code\u003e, key configuration parameters for syslog forwarding on ESXi hosts. The attack is detected using ESXi syslog data, typically ingested and processed using the Splunk Technology Add-on for VMware ESXi Logs. This can be part of ransomware campaigns like Black Basta.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial access to the ESXi host is achieved through exploitation of a vulnerability, stolen credentials, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges to gain administrative access on the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the ESXi syslog configuration using esxcli commands or direct manipulation of configuration files. Specifically, \u003ccode\u003eSyslog.global.logHost\u003c/code\u003e (the syslog server) and \u003ccode\u003eSyslog.global.logdir\u003c/code\u003e (the log directory) are targeted.\u003c/li\u003e\n\u003cli\u003eThe attacker disables remote syslog forwarding by setting \u003ccode\u003eSyslog.global.logHost\u003c/code\u003e to an invalid or inaccessible address. Alternatively, they might redirect logs to a location they control.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the log directory by altering the value of \u003ccode\u003eSyslog.global.logdir\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker then proceeds with their primary objective, such as deploying ransomware or exfiltrating sensitive data, under reduced scrutiny.\u003c/li\u003e\n\u003cli\u003eIncident responders find difficulty in reconstructing the attack timeline due to missing or incomplete log data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful tampering with ESXi loghost configurations can significantly impair an organization\u0026rsquo;s ability to detect and respond to security incidents. By disrupting log forwarding, attackers can effectively blind security teams, allowing them to operate undetected for extended periods. This can lead to delayed detection of ransomware deployments, data breaches, and other malicious activities, increasing the potential for financial loss, reputational damage, and operational disruption. ESXi Post Compromise can lead to Black Basta Ransomware deployment.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect ESXi loghost configuration tampering and tune them for your environment.\u003c/li\u003e\n\u003cli\u003eConfigure your ESXi systems to forward syslog output to a centralized logging server and ingest using the Splunk Technology Add-on for VMware ESXi Logs as specified in the \u0026ldquo;how_to_implement\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the source ESXi host (\u003ccode\u003edest\u003c/code\u003e) and the modified loghost configuration values.\u003c/li\u003e\n\u003cli\u003eMonitor ESXi host configuration changes for unexpected modifications to the syslog settings.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and multi-factor authentication for ESXi hosts to prevent unauthorized configuration changes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-esxi-loghost-tampering/","summary":"An attacker modifies the ESXi host's syslog configuration to disrupt log forwarding, potentially evading detection and hindering incident response.","title":"ESXi Loghost Configuration Tampering","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-loghost-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed — Tampering","version":"https://jsonfeed.org/version/1.1"}