https://feed.craftedsignal.io/tags/tampering/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-eventlog-sd-tampering/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-eventlog-sd-tampering/This analytic detects suspicious modifications to the EventLog security descriptor registry value, specifically the 'CustomSD' value, within the registry path 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>\CustomSD', which can be used for defense evasion by attackers.Attackers may target the Windows EventLog service to evade detection by manipulating security descriptors and access permissions. By modifying the ‘CustomSD’ value within the EventLog channel’s registry key, adversaries can restrict access to event logs, preventing security products and administrators from collecting and analyzing crucial security data. This can effectively blind security tools, allowing attackers to operate undetected within the compromised environment. The tampering of the Security Descriptor Definition Language (SDDL) strings is a critical indicator of potential malicious activity that warrants immediate investigation. The detection focuses on changes to the “CustomSD” value within the “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog<Channel>\CustomSD” path.

Attack Chain

1. The attacker gains initial access to the system through various means (e.g., phishing, exploiting a vulnerability).
2. The attacker escalates privileges to obtain necessary permissions to modify the registry.
3. The attacker navigates to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>.
4. The attacker identifies the CustomSD value within the registry key.
5. The attacker modifies the CustomSD value, altering the security descriptor for the EventLog channel using tools like reg.exe or PowerShell.
6. The attacker restricts access to the EventLog channel by modifying the SDDL string.
7. Security products and administrators are now unable to collect or analyze event logs from the tampered channel.
8. The attacker performs malicious activities without being logged, achieving persistence and evading detection.

Impact

Successful manipulation of EventLog security descriptors can severely impair an organization’s ability to detect and respond to security incidents. By restricting access to event logs, attackers can effectively blind security tools, allowing them to operate undetected. This can lead to prolonged compromises, data breaches, and other forms of significant damage. This form of tampering directly hinders incident response and forensic investigations, potentially affecting hundreds or thousands of systems depending on the scope of the attack.

Recommendation

• Deploy the Sigma rule Detect EventLog SDDL Tampering to your SIEM to detect modifications to the EventLog security descriptor registry value.
• Enable Sysmon Event ID 13 logging to capture registry modifications as required by the Sigma rule’s log source.
• Investigate any alerts generated by the Detect EventLog SDDL Tampering Sigma rule, focusing on the affected host and user.
• Monitor for unexpected or unauthorized processes modifying the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Eventlog\<Channel>\CustomSD.
• Implement the Sysmon TA to ensure proper data ingestion of Event ID 13 (registry modifications).

]]>highadvisorydefense-evasioneventlogregistrytamperinghttps://feed.craftedsignal.io/briefs/2024-01-esxi-vib-tampering/Wed, 03 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-esxi-vib-tampering/This detection identifies changes to the VIB (vSphere Installation Bundle) acceptance level on an ESXi host, potentially allowing the installation of unsigned or unverified software and lowering the system's integrity enforcement.This threat brief focuses on detecting tampering with the vSphere Installation Bundle (VIB) acceptance level on ESXi hosts. Attackers may attempt to modify the VIB acceptance level, typically using the esxcli software acceptance set command, to bypass security controls and install malicious or unsigned software. The default acceptance levels ensure that only VMware-approved or trusted vendor-signed packages are installed, maintaining system integrity. By lowering this level, for example, to “CommunitySupported”, an attacker can introduce unsigned VIBs, potentially leading to persistent compromise, data exfiltration, or disruption of virtualized workloads. This activity is often observed post-compromise.

Attack Chain

1. Initial access to the ESXi host is gained through an exploit or stolen credentials.
2. The attacker elevates privileges to execute commands with shell access.
3. The attacker uses the esxcli software acceptance set command to modify the VIB acceptance level, potentially setting it to CommunitySupported to allow unsigned VIBs.
4. The attacker installs a malicious VIB package onto the ESXi host.
5. The malicious VIB executes its payload, which could include installing a backdoor, modifying system configurations, or stealing data.
6. The attacker attempts to maintain persistence by hiding the malicious VIB or creating scheduled tasks.
7. The attacker leverages the compromised ESXi host to move laterally within the virtualized environment, targeting other virtual machines.
8. The attacker achieves their final objective, such as deploying ransomware or exfiltrating sensitive data from the virtualized environment.

Impact

Successful modification of the VIB acceptance level can lead to the installation of malicious software on ESXi hosts, resulting in the compromise of virtual machines and the entire virtualized infrastructure. This can lead to data breaches, system instability, and significant operational disruption. The Black Basta ransomware group has been known to target ESXi environments, highlighting the importance of detecting this type of activity.

Recommendation

• Enable ESXi syslog forwarding to a central log management system to capture relevant events (data_source: “VMWare ESXi Syslog”).
• Deploy the Sigma rule ESXi VIB Acceptance Level Tampering to detect changes to the VIB acceptance level (rule: “ESXi VIB Acceptance Level Tampering”).
• Monitor ESXi hosts for unusual process execution and file modifications, especially related to VIB installation (rule: “Suspicious ESXi VIB Installation”).
• Investigate any instances of the esxcli software acceptance set command being used (rule: “ESXi VIB Acceptance Level Tampering”).

]]>highadvisoryvmwareesxivibtamperingpost-compromiseransomwarehttps://feed.craftedsignal.io/briefs/2024-01-esxi-loghost-tampering/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-esxi-loghost-tampering/An attacker modifies the ESXi host's syslog configuration to disrupt log forwarding, potentially evading detection and hindering incident response.Attackers targeting VMware ESXi infrastructure may tamper with the syslog configuration to disable or redirect logging. This activity, often performed post-compromise, aims to hinder incident responders by preventing them from collecting crucial forensic data. This allows malicious actors to operate with less visibility, increasing the dwell time and impact of their attacks. This particular threat focuses on detecting modifications to Syslog.global.logHost and Syslog.global.logdir, key configuration parameters for syslog forwarding on ESXi hosts. The attack is detected using ESXi syslog data, typically ingested and processed using the Splunk Technology Add-on for VMware ESXi Logs. This can be part of ransomware campaigns like Black Basta.

Attack Chain

1. Initial access to the ESXi host is achieved through exploitation of a vulnerability, stolen credentials, or other means.
2. The attacker escalates privileges to gain administrative access on the ESXi host.
3. The attacker modifies the ESXi syslog configuration using esxcli commands or direct manipulation of configuration files. Specifically, Syslog.global.logHost (the syslog server) and Syslog.global.logdir (the log directory) are targeted.
4. The attacker disables remote syslog forwarding by setting Syslog.global.logHost to an invalid or inaccessible address. Alternatively, they might redirect logs to a location they control.
5. The attacker modifies the log directory by altering the value of Syslog.global.logdir.
6. The attacker then proceeds with their primary objective, such as deploying ransomware or exfiltrating sensitive data, under reduced scrutiny.
7. Incident responders find difficulty in reconstructing the attack timeline due to missing or incomplete log data.

Impact

Successful tampering with ESXi loghost configurations can significantly impair an organization’s ability to detect and respond to security incidents. By disrupting log forwarding, attackers can effectively blind security teams, allowing them to operate undetected for extended periods. This can lead to delayed detection of ransomware deployments, data breaches, and other malicious activities, increasing the potential for financial loss, reputational damage, and operational disruption. ESXi Post Compromise can lead to Black Basta Ransomware deployment.

Recommendation

• Deploy the provided Sigma rules to your SIEM to detect ESXi loghost configuration tampering and tune them for your environment.
• Configure your ESXi systems to forward syslog output to a centralized logging server and ingest using the Splunk Technology Add-on for VMware ESXi Logs as specified in the “how_to_implement” section.
• Investigate any alerts generated by the Sigma rules, focusing on the source ESXi host (dest) and the modified loghost configuration values.
• Monitor ESXi host configuration changes for unexpected modifications to the syslog settings.
• Implement strict access controls and multi-factor authentication for ESXi hosts to prevent unauthorized configuration changes.

]]>highadvisoryesxisyslogloghosttamperingdefense-evasion