A detailed security guide released by Splunk to help cybersecurity teams detect and prevent ransomware attacks targeting ESXi infrastructure before they can cause catastrophic damage.
The guide comes as a response to increasing threats against VMware’s ESXi hypervisor systems, which have become prime targets for cybercriminals due to their centralized nature and often inadequate monitoring.
The comprehensive resource provides technical detection strategies, code examples, and configuration guidance to help organizations strengthen their defenses against these devastating attacks that can encrypt entire virtualized environments within days.
Key Takeaways
1. Splunk released detection queries to identify suspicious ESXi activities.
2. Guide covers monitoring ESXi logs through syslog forwarding with technical implementation code.
3. ESXi hypervisors are prime ransomware targets that can encrypt entire environments rapidly
ESXi Ransomware Attack Guide
Researchers have developed an extensive analytic story specifically designed to identify malicious ESXi activity through comprehensive log monitoring.
The guide emphasizes the critical importance of configuring ESXi logging to send syslog data to external systems, particularly through Splunk Connect for Syslog, which provides a containerized syslog-ng server with pre-configured frameworks.
Organizations can implement direct monitoring through various methods, including dedicated syslog servers with Universal Forwarders or direct ingestion capabilities.
The detection framework includes sophisticated queries targeting reconnaissance activities, such as the System Information Discovery detection that identifies ESXCLI system-level commands: esxi_syslog Message=”*system*” AND Message=”*esxcli*” AND Message IN (“*get*”,”*list*”) AND Message=”*user=*” NOT Message=”*filesystem*”.
System information discovery
Additional critical detections monitor suspicious account activities, including External Root Login attempts and unauthorized Administrator role assignments through commands like esxcli system permission set with role Admin parameters.
User granted Admin role
ESXi Log Monitoring
The guide provides detailed breakdowns of essential ESXi log types that security teams must monitor effectively.
Shell logs capture executed commands, including both standard shell operations and esxcli interactions, while Hostd logs record host management service activities, VM lifecycle events, and authentication attempts.
VMK Warning logs offer filtered vmkernel views focusing on warning-level events, and ESXi Update logs track VIB (vSphere Installation Bundle) installations that could indicate unauthorized backdoor installations.
Critical detection capabilities include monitoring VIB acceptance level tampering through queries targeting esxcli software acceptance set commands, SSH enablement detection, and VM export monitoring via NFC protocol abuse.
Syslog Config Change
The framework also addresses indicator removal attempts, including audit tampering detection using esxcli system auditrecords commands and syslog configuration changes that could disrupt log collection.
Advanced features include system clock manipulation detection through NTPClock monitoring, helping identify timestamp evasion techniques commonly employed by sophisticated threat actors seeking to avoid detection mechanisms.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
