Detect Threat indicators for VMware ESXi servers (#2708)

rules/linux/defense_evasion_esxi_suspicious_timestomp_touch.toml

@@ -0,0 +1,54 @@
+[metadata]
+creation_date = "2023/04/11"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.5.0"
+updated_date = "2023/04/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies instances where the 'touch' command is executed on a Linux system with the "-r" flag,
+which is used to modify the timestamp of a file based on another file's timestamp. The rule targets specific VM-related
+paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*". These paths are associated with VMware virtualization
+software, and their presence in the touch command arguments may indicate that a threat actor is attempting to
+tamper with timestamps of VM-related files and configurations on the system.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "ESXI Timestomping using Touch Command"
+references = [
+    "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
+]
+risk_score = 47
+rule_id = "30bfddd7-2954-4c9d-bbc6-19a99ca47e23"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
+process.name : "touch" and process.args : "-r" and process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1070"
+name = "Indicator Removal"
+reference = "https://attack.mitre.org/techniques/T1070/"
+[[rule.threat.technique.subtechnique]]
+id = "T1070.006"
+name = "Timestomp"
+reference = "https://attack.mitre.org/techniques/T1070/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

rules/linux/defense_evasion_rename_esxi_files.toml

@@ -0,0 +1,53 @@
+[metadata]
+creation_date = "2023/04/11"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.5.0"
+updated_date = "2023/04/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies instances where VMware-related files, such as those with extensions like ".vmdk", ".vmx", ".vmxf", ".vmsd",
+".vmsn", ".vswp", ".vmss", ".nvram", and ".vmem", are renamed on a Linux system. The rule monitors for the "rename"
+event action associated with these file types, which could indicate malicious activity.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious Renaming of ESXI Files"
+references = [
+    "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
+]
+risk_score = 47
+rule_id = "97db8b42-69d8-4bf3-9fd4-c69a1d895d68"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+file where host.os.type == "linux" and event.action == "rename" and
+file.Ext.original.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem")
+and not file.name : ("*.vmdk", "*.vmx", "*.vmxf", "*.vmsd", "*.vmsn", "*.vswp", "*.vmss", "*.nvram", "*.vmem")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.003"
+name = "Rename System Utilities"
+reference = "https://attack.mitre.org/techniques/T1036/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

rules/linux/defense_evasion_rename_esxi_index_file.toml

@@ -0,0 +1,52 @@
+[metadata]
+creation_date = "2023/04/11"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.5.0"
+updated_date = "2023/04/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system.
+The rule monitors for the "rename" event action associated with this specific file and path,
+which could indicate malicious activity.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious Renaming of ESXI index.html File"
+references = [
+    "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
+]
+risk_score = 47
+rule_id = "c125e48f-6783-41f0-b100-c3bf1b114d16"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and
+file.Ext.original.path : "/usr/lib/vmware/*"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1036"
+name = "Masquerading"
+reference = "https://attack.mitre.org/techniques/T1036/"
+[[rule.threat.technique.subtechnique]]
+id = "T1036.003"
+name = "Rename System Utilities"
+reference = "https://attack.mitre.org/techniques/T1036/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"

rules/linux/discovery_esxi_software_via_find.toml

@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2023/04/11"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.5.0"
+updated_date = "2023/04/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies instances where the 'find' command is started on a Linux system with arguments targeting
+specific VM-related paths, such as "/etc/vmware/", "/usr/lib/vmware/", or "/vmfs/*".
+These paths are associated with VMware virtualization software, and their presence in the find command arguments
+may indicate that a threat actor is attempting to search for, analyze, or manipulate VM-related files
+and configurations on the system.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "ESXI Discovery via Find"
+references = [
+    "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
+]
+risk_score = 47
+rule_id = "33a6752b-da5e-45f8-b13a-5f094c09522f"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.type == "start" and process.name : "find" and
+process.args : ("/etc/vmware/*", "/usr/lib/vmware/*", "/vmfs/*")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1518"
+name = "Software Discovery"
+reference = "https://attack.mitre.org/techniques/T1518/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"

rules/linux/discovery_esxi_software_via_grep.toml

@@ -0,0 +1,49 @@
+[metadata]
+creation_date = "2023/04/11"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.5.0"
+updated_date = "2023/04/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies instances where a process named 'grep', 'egrep', or 'pgrep' is started on a Linux system with arguments
+related to virtual machine (VM) files, such as "vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram",
+or "vmem". These file extensions are associated with VM-related file formats, and their presence in grep command
+arguments may indicate that a threat actor is attempting to search for, analyze, or manipulate VM files on the system.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "ESXI Discovery via Grep"
+references = [
+    "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
+]
+risk_score = 47
+rule_id = "2b662e21-dc6e-461e-b5cf-a6eb9b235ec4"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Discovery"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
+process.name : ("grep", "egrep", "pgrep") and
+process.args : ("vmdk", "vmx", "vmxf", "vmsd", "vmsn", "vswp", "vmss", "nvram", "vmem")
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1518"
+name = "Software Discovery"
+reference = "https://attack.mitre.org/techniques/T1518/"
+
+
+[rule.threat.tactic]
+id = "TA0007"
+name = "Discovery"
+reference = "https://attack.mitre.org/tactics/TA0007/"

rules/linux/impact_esxi_process_kill.toml

@@ -0,0 +1,48 @@
+[metadata]
+creation_date = "2023/04/11"
+integration = ["endpoint"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.5.0"
+updated_date = "2023/04/11"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies instances where VMware processes, such as "vmware-vmx" or "vmx," are terminated on a Linux system
+by a "kill" command. The rule monitors for the "end" event type, which signifies the termination of a process.
+The presence of a "kill" command as the parent process for terminating VMware processes may indicate that a
+threat actor is attempting to interfere with the virtualized environment on the targeted system.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious Termination of ESXI Process"
+references = [
+    "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
+]
+risk_score = 47
+rule_id = "6641a5af-fb7e-487a-adc4-9e6503365318"
+severity = "medium"
+tags = ["Elastic", "Host", "Linux", "Threat Detection", "Impact"]
+timestamp_override = "event.ingested"
+type = "eql"
+query = '''
+process where host.os.type == "linux" and event.type == "end" and process.name : ("vmware-vmx", "vmx")
+and process.parent.name : "kill"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1489"
+name = "Service Stop"
+reference = "https://attack.mitre.org/techniques/T1489/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"