-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathRTM Locker for ESXi
55 lines (51 loc) · 2.53 KB
/
RTM Locker for ESXi
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
```Detecting vm process enumeration, process kills, & reverse shells on ESXi```
index=syslog source=vmware_vsphere (sourcetype="*shell.log" OR sourcetype="*crond.log")
| rex field=_raw "\d+-\d+-\d+T\d+:\d+:\d+Z\s(\w|\.)+\s\w+\[\d+\]:\s\[(?<user>(\w|\d)+)\]:\s(?<shell_Command>.*)$"
| rex field=_raw "\d+-\d+-\d+T\d+:\d+:\d+Z\s(\w|\.)+\s\w+\[\d+\]:\s(?<esxicli_Command>.*$)"
| eval command=mvappend(esxicli_Command, shell_Command)
| where isnotnull(command)
| search (command IN
("esxcli vm process list >>*",
"esxcli vm process kill -t=force -w",
"*vm process list*",
"*vm process kill*",
"* esxcli vm process list >>*",
"* esxcli vm process kill -t=force -w",
"esxcli system permission list*",
"*system permission list*",
"esxcli system account list*",
"*system account list*",
"esxcli system account set -i * -s t*",
"*system account set -i * -s t*",
"esxcli system settings encryption set --require-secure-boot=F*",
"*system settings encryption set --require-secure-boot=F*",
"esxcli system settings encryption set --require-exec-installed-only=F*",
"*system settings encryption set --require-exec-installed-only=F*",
"esxcli system settings kernel set -s execInstalledOnly -v F*",
"*system settings kernel set -s execInstalledOnly -v F*",
"esxcli system account add*",
"*system account add*",
"esxcli system account remove*",
"*system account remove*",
"esxcli network firewall set –enabled f*",
"*network firewall set –enabled f*",
"esxcli system auditrecords local disable*",
"*system auditrecords local disable*",
"*rm *",
"kill *",
"*bash -i >& /dev/tcp/*",
"*/dev/tcp/*",
"*/dev/udp/*",
"*/socat exec:'bash -li'*",
"*socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"))*",
"*new IO::Socket::INET(PeerAddr*",
"*python -c 'import socket*"))
| stats values(time_Stamp) as time_Stamp values(command) as commands values(user) as user by host
```Detecting SSH authentication brute force on ESXi```
index=syslog source=vmware_vsphere sourcetype="*/sshd.log"
| rex field=_raw "\d+-\d+-\d+T\d+:\d+:\d+Z\s(\w|\.)+\s\w+\[\d+\]:\spam_unix\(sshd:auth\):\s(?<auth_events>.*$)"
| rex field=_raw "\d+-\d+-\d+T\d+:\d+:\d+Z\s(\w|\.)+\s\w+\[\d+\]:\s(?<auth_debug>Failed\skeyboard.*$)"
| search (auth_debug="Failed keyboard-interactive/pam for *") OR (auth_events="authentication failure; *")
| eval log_match_match = mvappend(auth_events, auth_debug)
| stats count values(log_match_match) as log_matches by host
| where count > 10