GitHub Repo

Analytics Story: ESXi Post Compromise

Date: 2025-05-08 ID: 25f5b685-adfe-4914-9105-83ebc152cecf Author: Raven Tait, Splunk Product: Splunk Enterprise Security

Description

This analytic story contains detections for malicous activity on VMware ESXi. Adversaries who gain access to an ESXi shell or exploit management interfaces may attempt to maintain persistence, disrupt virtual machines, modify security settings, or prepare for lateral movement.

Why it matters

Ransomware groups have been observed abusing ESXi to deploy malware and encrypt virtual machines. This story focuses on detecting potential post-compromise activities. It aims to help defenders identify and respond to attacks on ESXi systems in their environments.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
ESXi Account Modified Local Account, Valid Accounts, Account Manipulation Anomaly
ESXi Audit Tampering Impair Command History Logging, Indicator Removal TTP
ESXi Bulk VM Termination Virtual Machine Discovery, System Shutdown/Reboot, Endpoint Denial of Service TTP
ESXi Download Errors Patch System Image, Disable or Modify Tools Anomaly
ESXi Encryption Settings Modified Impair Defenses TTP
ESXi External Root Login Activity Valid Accounts Anomaly
ESXi Firewall Disabled Disable or Modify System Firewall TTP
ESXi Lockdown Mode Disabled Impair Defenses TTP
ESXi Loghost Config Tampering Impair Defenses TTP
ESXi Malicious VIB Forced Install vSphere Installation Bundles TTP
ESXi Reverse Shell Patterns Command and Scripting Interpreter TTP
ESXi Sensitive Files Accessed /etc/passwd and /etc/shadow, Data from Local System TTP
ESXi Shared or Stolen Root Account Valid Accounts Anomaly
ESXi Shell Access Enabled Remote Services TTP
ESXi SSH Brute Force Brute Force Anomaly
ESXi SSH Enabled SSH TTP
ESXi Syslog Config Change Impair Command History Logging TTP
ESXi System Clock Manipulation Timestomp TTP
ESXi System Information Discovery System Information Discovery TTP
ESXi User Granted Admin Role Account Manipulation, Valid Accounts TTP
ESXi VIB Acceptance Level Tampering Impair Defenses TTP
ESXi VM Discovery Virtual Machine Discovery TTP
ESXi VM Exported via Remote Tool Data from Local System TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
VMWare ESXi Syslog N/A vmw-syslog vmware:esxlog

References

Source: GitHub | Version: 1