Full Report
Cybersecurity researchers have found that ransomware attacks targeting ESXi systems are also leveraging the access to repurpose the appliances as a conduit to tunnel traffic to command-and-control (C2) infrastructure and stay under the radar. "ESXi appliances, which are unmonitored, are increasingly exploited as a persistence mechanism and gateway to access corporate networks widely," Sygnia
Analysis Summary
# Tool/Technique: SSH Tunneling via ESXi Appliances
## Overview
Threat actors are exploiting compromised ESXi systems, often gained via administrative credentials or vulnerabilities, to establish SOCKS tunnels to their Command and Control (C2) infrastructure. This technique allows attackers to blend their traffic with legitimate network activity, establishing semi-persistent backdoors with low detection rates.
## Technical Details
- Type: Technique (Lateral Movement/Persistence via repurposed appliance)
- Platform: VMware ESXi
- Capabilities: Establishing covert C2 communication, persistence, blending activity with legitimate traffic.
- First Seen: Context suggests this is a current or recently observed trend in ransomware operations targeting ESXi.
## MITRE ATT&CK Mapping
- T1090 - Proxy
- T1090.003 - Proxy: Multi-hop Proxy (Relevant if the tunnel is chained, though direct C2 tunneling is the core method described)
- T1572 - Protocol Tunneling
- T1572.001 - Protocol Tunneling: Application Layer Protocol Tunneling (SOCKS tunnel over SSH)
- T1059 - Command and Scripting Interpreter
- T1059.004 - Command and Scripting Interpreter: Unix Shell (Used for executing SSH commands)
## Functionality
### Core Capabilities
- Utilizing native ESXi tools (like SSH) to establish a SOCKS tunnel.
- Repurposing ESXi appliances as a gateway for traffic between the compromised internal network and external C2 infrastructure.
- Achieving semi-persistent backdoor access due to the resilient nature of ESXi systems.
### Advanced Features
- "Living-off-the-land" approach by using native SSH functionality, thus avoiding introducing custom malware artifacts.
- Deception by blending tunnel traffic into seemingly legitimate network flows.
## Indicators of Compromise
- File Hashes: N/A (Technique-based, leveraging existing binaries)
- File Names: N/A (Technique-based)
- Registry Keys: N/A (Applies to ESXi filesystem/configuration)
- Network Indicators: Traffic patterns suggesting SSH or SOCKS activity originating from or relayed through ESXi hosts to known C2 infrastructure (defanged).
- Behavioral Indicators: Anomalous outbound network connections initiated via the SSH daemon on ESXi hosts; unauthorized configuration changes to allow persistent SSH access.
## Associated Threat Actors
- Threat actors involved in ransomware attacks targeting ESXi systems. (Specific named actors are not associated with this technique in the excerpt, but the context links it to ransomware campaigns).
## Detection Methods
- Signature-based detection: Limited, as native tools are used.
- Behavioral detection: Monitoring for unusual outbound connections or connections that establish proxy/tunnel functionality on ESXi hosts.
- YARA rules if available: Not specified.
## Mitigation Strategies
- Reviewing ESXi security posture to prevent initial access (admin credentials/vulnerabilities).
- Monitoring and centrally forwarding critical ESXi logs:
- `/var/log/shell.log` (ESXi shell activity)
- `/var/log/hostd.log` (Host agent log)
- `/var/log/auth.log` (Authentication log)
- `/var/log/vobd.log` (VMware observer daemon log)
- Restricting unmonitored ESXi appliances.
- Minimizing the use of SSH access (or enforcing strong controls/MFA if required).
## Related Tools/Techniques
- Use of native Windows tools (PsExec, JuicyPotato) for privilege escalation (mentioned in the context of a different actor/technique but illustrates LoLB approach).
***
# Tool/Technique: Andariel's RID Hijacking
## Overview
The North Korea-linked threat group Andariel utilizes Relative Identifier (RID) hijacking to gain covert, elevated privileges on compromised Windows systems, ensuring persistence by assigning lower-privileged accounts the access rights of the built-in Administrator account.
## Technical Details
- Type: Technique (Persistence/Privilege Escalation)
- Platform: Windows
- Capabilities: Modifying the Windows Registry to change the RID value of a newly created or low-privileged user account to 500, granting it administrative privileges upon the next login.
- First Seen: The exploitation of this method is detailed in a recent report by ASEC.
## MITRE ATT&CK Mapping
- T1136 - Create Account
- T1136.001 - Create Account: Local Account
- T1087 - Account Discovery
- T1087.001 - Account Discovery: Local Account
- T1078 - Valid Accounts
- T1078.003 - Valid Accounts: Local Accounts
- T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control (Implicitly achieved by abusing RID assignment)
## Functionality
### Core Capabilities
- Gaining SYSTEM privileges (via tools like PsExec or JuicyPotato) to modify critical registry settings.
- Creating a new user account.
- Modifying the account's RID value in the registry to `500` (the Administrator RID).
- Adding the newly privileged account to the Administrators and Remote Desktop Users groups (`net localgroup`).
### Advanced Features
- **Stealth:** The compromised account operates with lower visibility than the default administrator account, evading elevated surveillance.
- **Persistence:** The elevated status persists across logins once the registry modification takes effect.
## Indicators of Compromise
- File Hashes: N/A (Technique-based registry modification)
- File Names: N/A
- Registry Keys: Modification of the RID associated with a newly created user account to 500 (or modifying an existing account's RID).
- Network Indicators: N/A (Focus is post-compromise persistence)
- Behavioral Indicators: Execution of `net localgroup Administrators /add <new_user>` following privilege escalation, and suspicious registry modifications affecting user security identifiers.
## Associated Threat Actors
- Andariel (North Korea-linked threat group)
## Detection Methods
- Signature-based detection: Monitoring for known hashes of privilege escalation tools (PsExec, JuicyPotato).
- Behavioral detection: Monitoring for anomalous registry writes targeting security identifier (SID) or Relative Identifier (RID) values, particularly for newly created accounts. Monitoring for administrative group manipulation via `net localgroup`.
- YARA rules if available: Not specified.
## Mitigation Strategies
- Strict enforcement of the principle of least privilege.
- Rigorous auditing of local account creation and membership in the Administrators group.
- Detecting and preventing the use of privilege escalation tools like PsExec and JuicyPotato.
## Related Tools/Techniques
- PsExec
- JuicyPotato
***
# Tool/Technique: Hardware Breakpoints for ETW Evasion
## Overview
A recently discovered technique involves leveraging CPU-level hardware breakpoints, executed via the native Windows function `NtContinue`, to hook functions and manipulate telemetry logs generated by Event Tracing for Windows (ETW) to achieve Event Tracing for Windows (ETW) evasion. This bypasses standard EDR detection mechanisms that monitor API calls like `SetThreadContext`.
## Technical Details
- Type: Technique (Defense Evasion)
- Platform: Windows
- Capabilities: Establishing "patchless" hooks at the CPU level to manipulate code execution and prevent ETW from logging suspicious activity, thereby evading EDR security controls that rely on ETW telemetry.
- First Seen: Recently discovered by researchers at Praetorian.
## MITRE ATT&CK Mapping
- T1027 - Obfuscated Files or Information
- T1027.005 - Obfuscated Files or Information: Hardware Observation (Related concept of direct CPU interaction)
- T1564 - Hide Artifacts
- T1564.003 - Hide Artifacts: Hidden Registry Key (Analogous goal of remaining hidden)
- T1055 - Process Injection
- T1055.004 - Process Injection: Accessing Non-System or Kernel Memory (Related to manipulating context/execution flow)
## Functionality
### Core Capabilities
- Using `NtContinue` instead of `SetThreadContext` to set debug registers (hardware breakpoints).
- Hooking functions at the CPU level to intercept and alter execution pathways.
- Preventing the generation or proper logging of events that EDRs parse from ETW.
### Advanced Features
- "Patchless" hooks, meaning the technique avoids modifying sections of memory that might be directly scanned by defensive tools (like AMSI).
- Thwarts telemetry reliant on standard thread context manipulation calls.
## Indicators of Compromise
- File Hashes: N/A (Technique-based)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Unusual use of `NtContinue` in conjunction with low-level debugging APIs, or manipulation of CPU debug registers.
## Associated Threat Actors
- Adversaries seeking stealthy code injection and EDR evasion. (No specific group named in the context of this technique yet).
## Detection Methods
- Signature-based detection: Monitoring for direct interaction with low-level context setting/debugging APIs that are not standard for typical processes.
- Behavioral detection: High fidelity monitoring for CPU debug register manipulation and anomalous calls to `NtContinue`.
- YARA rules if available: Not specified.
## Mitigation Strategies
- Employing security solutions capable of monitoring CPU hardware access/debug registers directly, analyzing context manipulation beyond standard Windows API calls.
- Implementing defenses against "patchless" hooking techniques.
## Related Tools/Techniques
- SetThreadContext (The function this technique seeks to evade detection from)
- Event Tracing for Windows (ETW)