<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Virtual_machine - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/virtual_machine/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/virtual_machine/feed.xml" rel="self" type="application/rss+xml"/><item><title>ESXi Bulk VM Termination Detection</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-esxi-bulk-vm-termination/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-esxi-bulk-vm-termination/</guid><description>Detection of abrupt virtual machine termination on ESXi hosts, potentially indicating denial-of-service, ransomware staging, or destruction of critical workloads.</description><content:encoded><![CDATA[<p>This brief addresses the abrupt termination of virtual machines on VMware ESXi hosts, a behavior that can indicate malicious activity. Attackers might employ this technique for various purposes, including causing a denial-of-service (DoS), staging ransomware attacks, or disrupting critical workloads by terminating VMs. While the specific actors behind such attacks can vary, the impact on affected organizations is significant. The detection logic focuses on identifying specific command patterns within ESXi syslog data that signal bulk VM termination, enabling security teams to respond swiftly to potential threats. This activity is associated with post-compromise scenarios on ESXi infrastructure and has been linked to ransomware groups like Black Basta.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains initial access to the ESXi host through an undisclosed method.</li>
<li>Attacker executes commands via the ESXi shell or through <code>esxcli</code>.</li>
<li>Attacker uses <code>esxcli vm process list</code> to enumerate running virtual machines on the host.</li>
<li>The attacker filters the output of <code>esxcli vm process list</code> using <code>awk</code> or similar tools to extract VM process IDs.</li>
<li>Attacker uses <code>esxcli vm process kill</code> with the <code>--format-param</code> option to terminate multiple virtual machine processes.</li>
<li>Alternatively, the attacker uses <code>pkill -9 vmx-*</code> to forcibly terminate all VM processes.</li>
<li>Virtual machines are abruptly shut down, leading to data loss and service disruption.</li>
<li>The attack may be a precursor to data exfiltration or encryption as part of a ransomware attack.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful bulk VM termination can lead to significant disruption of services, data loss, and potential financial losses. The number of victims and the scope of impact depend on the criticality of the virtual machines affected. In ransomware scenarios, this action serves to maximize the impact and pressure victims into paying the ransom. Sectors heavily reliant on virtualization, such as cloud providers, financial institutions, and healthcare organizations, are particularly vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Configure ESXi hosts to forward syslog output to your SIEM to collect the necessary data (VMWare ESXi Syslog).</li>
<li>Deploy the Sigma rules provided in this brief to your SIEM to detect bulk VM termination activity and tune them based on your environment.</li>
<li>Investigate any alerts triggered by these rules to determine the scope and impact of the activity.</li>
<li>Review and harden access controls to ESXi hosts to prevent unauthorized command execution.</li>
<li>Consider implementing rate limiting or alerting on ESXi command execution to detect anomalous activity.</li>
<li>Ingest logs with the appropriate Splunk Technology Add-on for VMware ESXi Logs, ensuring field extractions and CIM compatibility, to properly utilize the provided Splunk search query.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>esxi</category><category>vmware</category><category>virtual_machine</category><category>ransomware</category><category>denial_of_service</category></item></channel></rss>