vSphere and BRICKSTORM Malware: A Defender's Guide

<div class="block-paragraph_advanced"><p>Written by: Stuart Carrera</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Building on </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">recent BRICKSTORM research</span></a><span style="vertical-align: baseline;"> from Google Threat Intelligence Group (GTIG), this post explores the evolving threats facing virtualized environments. These operations directly target the VMware vSphere ecosystem, specifically the vCenter Server Appliance (VCSA) and ESXi hypervisors. To help organizations stay ahead of these risks, we will focus on the essential hardening strategies and mitigating controls necessary to secure these critical assets.</span></p> <p><span style="vertical-align: baseline;">By establishing persistence at the virtualization layer, threat actors operate beneath the guest operating system where traditional security protections are ineffective. This strategy takes advantage of a significant visibility gap, as these control planes do not support standard endpoint detection and response (EDR) agents and have historically received less security focus than traditional endpoints.</span></p> <p><span style="vertical-align: baseline;">This activity is not the result of a security vulnerability in vendors' products or infrastructure. Instead, these intrusions rely on the effectiveness of exploiting weak security architecture and identity design, a lack of host-based configuration enforcement, and limited visibility within the virtualization layer. By operating within these unmonitored areas, attackers can establish long-term persistence and gain administrative control over the entire vSphere environment.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/vsphere-brickstorm-fig1.max-1000x1000.jpg" alt="BRICKSTORM vSphere attack chain"> </a> <figcaption class="article-image__caption "><p data-block-key="xm3ui">Figure 1: BRICKSTORM vSphere attack chain</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><p>This guide provides a framework for an infrastructure-centric defense. To help automate some of this guidance and secure the control plane against threats like BRICKSTORM, Mandiant released a <a href="https://github.com/mandiant/vcsa-hardening-tool" rel="noopener" target="_blank">vCenter Hardening Script</a> that enforces these security configurations directly at the Photon Linux layer. By implementing these recommendations, organizations can transform the virtualization layer into a hardened environment capable of detecting and blocking persistent threats.</p></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">vCenter Server Appliance Risk Analysis</span></h3> <p><span style="vertical-align: baseline;">The vCenter Server Appliance (VCSA) is the central point of control and trust for the vSphere infrastructure. Running on a specialized Photon Linux operating system, the VCSA typically hosts critical Tier-0 workloads, such as domain controllers and privileged access management (PAM) solutions. This means the underlying virtualization platform inherits the same classification and risk profile as the highly sensitive assets it supports.</span></p> <p><span style="vertical-align: baseline;">A compromise of the vCenter control plane grants an attacker administrative control over every managed ESXi host and virtual machine, effectively rendering traditional organizational tiering irrelevant. Because the VCSA is a purpose-built appliance, relying on out-of-the-box defaults is often insufficient; achieving a Tier-0 security standard requires intentional, custom security configurations at both the vSphere and the underlying Photon Linux layers. </span></p> <p><span style="vertical-align: baseline;">For a threat actor, the VCSA provides:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Centralized Command:</strong><span style="vertical-align: baseline;"> This provides the ability to power off, delete, or reconfigure any virtual machine combined with the ability to reset root credentials on any managed ESXi host providing full control of the hypervisor.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Total Data Access: </strong><span style="vertical-align: baseline;">Access to the underlying storage (VMDKs) of every application, bypassing operating system permissions and traditional file system security. This provides a direct path for data exfiltration of Tier-0 assets.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Command-Line Logging Gaps:</strong><span style="vertical-align: baseline;"> If an attacker gains access to the underlying Photon OS shell via Secure Shell (SSH), there is no remote logging of the shell commands.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">Management Plane Dependencies</span></h4> <p><span style="vertical-align: baseline;">Many organizations host their Active Directory domain controllers as virtual machines (VMs) within the same vSphere cluster managed by a vCenter that is itself AD-integrated. If an attacker disables the virtual network or encrypts the datastores, vCenter loses its ability to authenticate administrators. In a scenario where the VCSA is encrypted or wiped, the tools required for large-scale recovery are also lost. This forces organizations to rely on manual restores via individual ESXi hosts, extending the recovery timeline exponentially.</span></p> <h4><span style="vertical-align: baseline;">vSphere 7 End of Life</span></h4> <p><span style="vertical-align: baseline;">vSphere 7 reached End of Life (EoL) in October 2025. Organizations with this legacy technical debt will have vSphere software entering a window (until upgrade) where they will no longer receive critical security patches. This provides an opportunity for threat actors to exploit known vulnerabilities that will not be fixed.</span></p> <h3><span style="vertical-align: baseline;">The Strategic Advantage of Proactive Measures</span></h3> <p><span style="vertical-align: baseline;">To secure the control plane, organizations should adopt a strategy where the infrastructure itself acts as the primary line of defense. </span></p> <p><span style="vertical-align: baseline;">A resilient defense relies on two strategies:</span></p> <ul> <li role="presentation"><strong style="vertical-align: baseline;">Technical Hardening: </strong><span style="vertical-align: baseline;">Defense-in-depth should be applied to the hypervisor layer to reduce the attack surface. Threat actors target insecure defaults. Hardening measures, such as enabling Secure Boot, strictly firewalling management interfaces, and disabling shell access, create “friction.” When a threat actor attempts to write a persistence script to </span><code><span style="vertical-align: baseline;">/etc/rc.local.d</span></code><span style="vertical-align: baseline;"> or modify a startup file, a hardened configuration can block the action or force the actor to use methods that generate excessive log telemetry.</span></li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">High-Fidelity Signal Analysis:</strong><span style="vertical-align: baseline;"> Threat actors are adept at rotating infrastructure and recompiling tools to change their signatures. Relying on a blocklist of bad IPs or a database of known malware hashes is not an effective strategy as threat actors utilize command-and-control servers and native binaries. Instead, the focus should shift entirely to behavioral patterns.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Building on this strategic foundation where the infrastructure itself acts as the primary line of defense, this guide outlines four phases of technical enforcement:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Phase 1: Benchmarking and Base Controls</strong><span style="vertical-align: baseline;"> – Establishing the foundation with Security Technical Implementation Guides (STIG) and patching.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Phase 2: Identity Management</strong><span style="vertical-align: baseline;"> – Hardening administrative access to critical infrastructure via PAWs and PAM solutions. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Phase 3: vSphere Network Hardening</strong><span style="vertical-align: baseline;"> – Eliminating lateral movement with Zero Trust networking. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Phase 4: Logging and Forensic Visibility</strong><span style="vertical-align: baseline;"> – Transforming the appliance into a proactive security sensor.</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Phase 1: Benchmarking and Base Controls</span></h3> <p><span style="vertical-align: baseline;">Organizations should use the hardening measures outlined in the </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">Mandiant vSphere hardening blog post</span></a><span style="vertical-align: baseline;"> combined with a strict patching and upgrade strategy. This provides a standard foundation to develop a strong security posture. By implementing an enhanced security baseline centered on the Photon Linux DISA STIG and VMware security hardening guides, organizations can harden the OS-level components that actors target.</span></p> <p><strong style="vertical-align: baseline;">Key Frameworks:</strong></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://www.stigviewer.com/stigs/vmware_vsphere_70_vcenter_appliance_photon_os" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">VMware vSphere 7.0 VCSA Photon OS STIG</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://www.stigviewer.com/stigs/vmware_vsphere_80_vcenter_appliance_photon_os_40" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">VMware vSphere 8.0 VCSA Photon OS STIG</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/security-configuration-hardening-guide/vsphere" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">VMware vSphere Security Hardening Guides</span></a></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><a href="https://github.com/vmware/vcf-security-and-compliance-guidelines/tree/main/ransomware-resources/BRICKSTORM" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">VMware BRICKSTORM Resources and Defense</span></a></p> </li> </ul> <p><strong style="vertical-align: baseline;">STIG Control Mappings to Attacker TTPs</strong></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">STIG ID</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Control Title</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">TTP </strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Detail </strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://www.stigviewer.com/stigs/vmware_vsphere_80_vcenter/2025-06-09/finding/V-258910" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">V-258910</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Require Multi-factor authentication (MFA)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Foothold / Privilege Escalation</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">MFA on vCenter web login prevents compromised Active Directory credentials from granting full access.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://www.stigviewer.com/stigs/vmware_vsphere_70_vcenter/2023-12-21/finding/V-256337" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">V-256337</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Real-time Alert on SSO Account Actions</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Persistence / Anti-Forensics</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Creates local accounts, deploys backdoors, and deletes the accounts within minutes. Real-time alerting on PrincipalManagement events is required to catch this activity.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://www.stigviewer.com/stigs/vmware_vsphere_80_vcenter/2025-06-09/finding/V-258921" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">V-258921</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Verify User Roles (Least Privilege)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Data Exfiltration</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Identifies and removes excessive permissions from standard user roles that are aggregated into non-admin roles.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://stigviewer.cyberprotection.com/stigs/vmware_vsphere_8.0_vcenter/2025-06-09/finding/V-258956" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">V-258956</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Limit membership to "BashShellAdministrators"</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Escalate Privileges</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Even if an attacker compromises a vSphere Admin account, they cannot access the Photon OS bash shell unless that account is in this specific single sign-on (SSO) group. It blocks the "VAMI-to-Shell" pivot used to deploy backdoors.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><a href="https://www.stigviewer.com/stigs/vmware_vsphere_80_vcenter/2025-06-09/finding/V-258968" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">V-258968</span></a></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Disable SSH Enablement </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Initial Access</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Actors often use the VAMI (Port 5480) to enable SSH before deploying the backdoor. This control ensures that SSH is "Disabled."</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">STIG controls mapping</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">vSphere Infrastructure-Level Data Exfiltration</span></h4> <p><span style="vertical-align: baseline;">Standard vSphere configurations typically mask high-risk permissions such as VM cloning and exporting within generalized administrative roles, allowing these actions to blend into the background noise of routine operations. This architecture provides a threat actor with the means to execute a silent exfiltration of a domain controller or credential repository. Organizations should transition from a model of permissive vSphere access control to a comprehensive cryptographic enforcement policy.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Security Control</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">What It Protects Against</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Implementation Method</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vSphere VM Encryption</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Theft of VMDK files from the datastore; offline analysis and snapshot of memory</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Enable in VM Policies (Requires a KMS)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">In-Guest Encryption (BitLocker)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mounting the VMDK to another VM; offline file system browsing</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Enable inside Windows OS (Requires a vTPM)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vMotion Encryption</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Capture of in-memory credentials (krbtgt hashes) during live migration</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Set vMotion to "Required" in VM Options</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Virtual TPM (vTPM) &amp; Secure Boot</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Bootkit persistence and tampering; strengthens in-guest features like Credential Guard</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Enable in VM Options (Hardware &amp; Boot sections)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Lock Boot Order &amp; BIOS</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Booting from a malicious ISO to reset passwords or bypass security controls</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Set a VM BIOS password and configure boot options</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Disable Copy/Paste</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Silent data exfiltration of credentials or secrets via the VM console</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Set VM Advanced Settings (</span><code style="vertical-align: baseline;">isolation.tools.* = true</code><span style="vertical-align: baseline;">)</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Recommended controls for data exfiltration mitigation</span></div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Resilience against vSphere data exfiltration requires a shift in how high-value virtual assets are governed:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Mandatory Tier-0 Encryption: </strong><span style="vertical-align: baseline;">The enforcement of vSphere-native VM encryption is the primary and most essential control for all critical Tier-0 virtual machines. Organizations should mandate that every domain controller, certificate authority, and password vault be encrypted at the virtual machine level. </span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Cryptographic Isolation:</strong><span style="vertical-align: baseline;"> Tier-0 assets should be subject to a unique key-locked encryption policy. By mandating a separate key management server (KMS) cluster for these workloads, organizations ensure that a threat actor cannot unlock a cloned disk without access to a secure, hardware-backed vault.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Entitlement De-coupling:</strong><span style="vertical-align: baseline;"> The "Clone" and "Export" privileges should be stripped from standard administrative roles. These functions should be reassigned to a highly restricted, auditable "break-glass" identity, used exclusively for emergency recovery scenarios.</span></p> </li> </ul> <h3><span style="vertical-align: baseline;">Phase 2: Identity Management</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Best practices for Identity management in vSphere focuses on mandating all vSphere administrative sessions originate from dedicated privileged access workstations and utilize a PAM while also enforcing host-level hardening through the restriction of the vpxuser shell access.</span></p> <h4><span style="vertical-align: baseline;">Privileged Access Workstations (PAWs)</span></h4> <p><span style="vertical-align: baseline;">To prevent a threat actor from pivoting to the virtualization management plane from compromised user endpoints or appliances, administrative sessions should originate from a dedicated PAW. This is a dedicated hardened workstation only utilized when interfacing with vSphere administrative functions or interfaces.</span></p> <h4><span style="vertical-align: baseline;">Privileged Access Management (PAM)</span></h4> <p><span style="vertical-align: baseline;">PAM tools serve as an intermediary to mitigate specific threats such as the </span><code style="vertical-align: baseline;">BRICKSTEAL</code><span style="vertical-align: baseline;"> credential harvester. By mandating credential injection, organizations ensure that passwords are never typed or exposed in memory on the target system where malware could intercept them. Automated secret rotation should be enforced to limit the lifespan of any compromised credentials, particularly for root passwords and service account keys. </span></p> <h4><span style="vertical-align: baseline;">Authentication and Platform Hardening</span></h4> <p><span style="vertical-align: baseline;">Accounts residing in the default </span><code style="vertical-align: baseline;">vsphere.local</code> <span style="vertical-align: baseline;">single sign-on (SSO) domain, most notably the built-in </span><span style="vertical-align: baseline;">a</span><code style="vertical-align: baseline;">dministrator@vsphere.local</code> <span style="vertical-align: baseline;">superuser, pose a specific security risk because they do not support modern MFA integration. Due to this limitation, organizations should limit the use of </span><code style="vertical-align: baseline;">vsphere.local</code><span style="vertical-align: baseline;"> accounts for daily administration; instead, they should be treated as emergency "break-glass" credentials that are secured with complex, vaulted passwords.</span><span style="vertical-align: baseline;"> </span></p> <h4><span style="vertical-align: baseline;">The vSphere VPXUSER</span></h4> <p><span style="vertical-align: baseline;">The </span><code style="vertical-align: baseline;">vpxuser</code><span style="vertical-align: baseline;"> is a high-privilege system account provisioned by vCenter on each managed host to facilitate core infrastructure management operations.</span></p> <p><span style="vertical-align: baseline;">A threat actor possessing administrative control over the VCSA effectively inherits the delegated authority of the </span><code style="vertical-align: baseline;">vpxuser</code> <span style="vertical-align: baseline;">across the entire managed cluster. This entitlement enables a pivot from the management plane to the host-level shell.</span></p> <h4><span style="vertical-align: baseline;">The Primary Mitigation (vSphere ESXi 8.0+): Disabling Shell Access</span></h4> <p><span style="vertical-align: baseline;">To mitigate this lateral movement vector, vSphere 8.0 introduced a technical control allowing administrators to remove shell access from the </span><code style="vertical-align: baseline;">vpxuser</code><span style="vertical-align: baseline;"> account. Enforce the following configuration on all ESXi 8.0+ hosts to restrict the </span><code style="vertical-align: baseline;">vpxuser</code><span style="vertical-align: baseline;"> identity:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>esxcli system account set -i vpxuser -s false</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">ESXi Host Identity Hardening Strategy</span></h4> <p><span style="vertical-align: baseline;">Additional hardening measures to prevent bypasses via alternative mechanisms, such as Host Profile manipulation, include:</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Control Type</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Strategic Requirement</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Implementation</strong><strong style="vertical-align: baseline;"> </strong><strong style="vertical-align: baseline;">Method</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Pivot Mitigation</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">VPXUSER Shell Lock</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Disable shell access for the management account to sever the vCenter-to-Host attack path.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Account Obfuscation</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Rename root Account</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Transition the default </span><code><span style="vertical-align: baseline;">root</span></code><span style="vertical-align: baseline;"> identifier to a unique, non-predictable string to invalidate automated brute-force attempts.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Credential Entropy</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">15+ Character Baseline</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Enforce a strict, system-wide password complexity policy using </span><code><span style="vertical-align: baseline;">Security.PasswordQualityControl</span></code><span style="vertical-align: baseline;">.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Vaulted Identity</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Secure Credentials </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mandate the use of an enterprise password vault for all local host credentials to ensure auditable "break-glass" access.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">ESXi host hardening</span></div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Phase 3: vSphere Network Hardening</span></h3> <h4><span style="vertical-align: baseline;">Securing the Virtualization Network</span></h4> <p><span style="vertical-align: baseline;">Establishing a vSphere Zero Trust network posture is the foundational requirement for securing a resilient Tier-0 architecture. Because the vCenter Server Appliance (VCSA) and ESXi hypervisors lack native MFA support for local privileged accounts, identity-based validation is insufficient as a singular point of security enforcement. Once a threat actor harvests these credentials, the logical network architecture remains the only defensive layer capable of preventing the threat actor's access to the vSphere management plane.</span></p></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%;"> <tbody> <tr> <td style="width: 98.1839%;"><span style="font-style: italic; vertical-align: baseline;">A strictly segmented architecture integrating physical network isolation with host-based micro-segmentation serves as the definitive safeguard; by systematically eliminating all logical network paths from untrusted zones to the management zone, the underlying attack vector is neutralized, ensuring that a BRICKSTORM intrusion remains physically and logically incapable of compromising the vCenter control plane.</span></td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">The architectural blueprint shown in Figure 2 is designed to eliminate these common internal attack vectors.</span></p></div> <div class="block-image_full_width"> <div class="article-module h-c-page"> <div class="h-c-grid"> <figure class="article-image--large h-c-grid__col h-c-grid__col--6 h-c-grid__col--offset-3 " > <img src="https://storage.googleapis.com/gweb-cloudblog-publish/images/vsphere-brickstorm-fig2.max-1000x1000.jpg" alt="vSphere Zero Trust networking and detection"> </a> <figcaption class="article-image__caption "><p data-block-key="xm3ui">Figure 2: vSphere Zero Trust networking and detection</p></figcaption> </figure> </div> </div> </div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">1. Immutable Virtual Local Area Network (VLAN) Segmentation</span></h4> <p><span style="vertical-align: baseline;">Organizations should enforce isolation through distinct 802.1Q VLAN IDs. Threat actors will exploit "flat" or poorly partitioned networks where a compromise in a low-security/low-trust zone (such as a demilitarized zone [DMZ] or edge appliance) can route directly to the Management VAMI (Port 5480) or shell access to the VCSA (Port 22) high-trust network segments.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VLAN</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Description</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Members</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Strategic Security Policy</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Host Management</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi Hypervisor Control Plane</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi vmk0 Management Interfaces</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Restricted Access.</strong><span style="vertical-align: baseline;"> Exclusively accepts traffic from the VCSA and authorized PAWs.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA / Infrastructure</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Cluster Management Applications</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vCenter (VCSA), Backup Servers, NSX Managers</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Tier-0 Restricted Zone.</strong><span style="vertical-align: baseline;"> Should be logically and physically unreachable from all Guest VM segments.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">vMotion</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Live Memory Migration</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi </span><span style="vertical-align: baseline;">vmk1</span><span style="vertical-align: baseline;"> (vMotion Stack)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Non-Routable. </strong><span style="vertical-align: baseline;">Prevents interception of unencrypted RAM data during migration.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Storage</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vSAN / iSCSI / NFS</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi </span><span style="vertical-align: baseline;">vmk2</span><span style="vertical-align: baseline;"> (Storage Stack)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Non-Routable.</strong><span style="vertical-align: baseline;"> Critical for block-level data integrity; prevents out-of-band disk manipulation.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Virtual Machine</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Production Workloads</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Virtual Machine Port Groups</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Untrusted Zone.</strong><span style="vertical-align: baseline;"> Entirely isolated from all infrastructure management VLANs.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Layer 2 segmentation</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">2. Routing as a Security Barrier</span></h4> <p><span style="vertical-align: baseline;">The objective is to transform the Management Network into a secured zone. A threat actor residing on a standard corporate subnet or Wi-Fi network should be physically unable to communicate with the VCSA.</span></p> <h5><span style="vertical-align: baseline;">A. Virtual Routing and Forwarding (VRF) Segmentation</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Action:</strong><span style="vertical-align: baseline;"> Transition all Infrastructure VLANs into a dedicated VRF instance on the core routing layer.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Strategic Impact:</strong><span style="vertical-align: baseline;"> This creates a defined routing table. Even in the event of a total compromise in the "User" or "Guest" VRF, the network hardware will have no route to the "Management" VRF, preventing lateral movement even if physical adjacency exists.</span></p> </li> </ul> <h5><span style="vertical-align: baseline;">B. Privileged Admin Workstation (PAW Exclusive Acce</span><span style="vertical-align: baseline;">ss)</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Action:</strong><span style="vertical-align: baseline;"> Deconstruct all direct routes from the general corporate LAN to the Management Subnet(s).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Strategic Impact:</strong><span style="vertical-align: baseline;"> Access to the Management Subnet should originate from a designated PAW IP range / subnet. All other internal subnets including standard user workstations, and guest VMs should have no route or be subject to an explicit Deny policy at the gateway. This forces the threat actor to attempt a compromise of the PAW, a significantly more hardened and monitored target, before they can connect to the VCSA.</span></p> </li> </ul> <h4><span style="vertical-align: baseline;">3. Hardened Perimeter Ingress and Egress Filtering</span></h4> <p><span style="vertical-align: baseline;">These rules should be enforced at the hardware firewall or Layer 3 Core acting as the gateway for the Management Subnet. Because the VCSA's GUI-based native firewall is architecturally incapable of enforcing egress (outbound) policy, the upstream network gateway should enforce this policy. Organizations should implement a restrictive egress policy to ensure that if a VCSA is compromised, it cannot connect to malicious command-and-control infrastructure or exfiltrate Tier-0 data.</span></p> <h5><span style="vertical-align: baseline;">A. Ingress Filtering (Incoming to Management)</span></h5></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Source</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Destination</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Protocol / Port</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Policy</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Mitigation</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">PAW</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mgmt VLAN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 443</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Authorized vSphere Client/API Access</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">PAW</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi VLAN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 902</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Secure Remote Console (MKS) Access</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">ESXi</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">VCSA IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 443 </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi Host to vCenter communication</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Backup </strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">VCSA IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 443</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Backup API Access </span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Monitoring</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mgmt VLAN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ICMP Ping</span></p> <p><span style="vertical-align: baseline;">UDP / 161 (SNMP)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Verified Infrastructure Health Probes</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">ANY</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mgmt VLAN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 22</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DENY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MANDATORY SSH BLOCK.</strong><span style="vertical-align: baseline;"> Enforce shell access via PAW only.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">ANY</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mgmt VLAN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 5480</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DENY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">MANDATORY VAMI BLOCK. </strong><span style="vertical-align: baseline;">Prevents unauthorized management enablement.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Guest VM</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Mgmt VLAN</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ANY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DENY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Eliminates all East-West lateral movement paths</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Ingress filtering</span></div></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">B. Egress Filtering (Outbound from VCSA/Management)</span></h5></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Source</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Destination</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Protocol / Port</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Policy</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Mitigation</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Internal DNS</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UDP/TCP 53</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Restrict DNS to trusted internal resolvers only.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Remote Syslog</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 6514</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TLS Encrypted Telemetry. Required for SIEM visibility</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Public IP for VMware Update Manager</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 443</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Strictly limit to </span><span style="vertical-align: baseline;">"162.159.140.167" and "172.66.0.165" (VMware Update servers)</span><span style="vertical-align: baseline;">.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Identity Provider</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP / 443</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ALLOW</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Required for Federated Authentication (Okta/Entra)</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Internal Subnets</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ANY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DENY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Block Internal Scanning. Prevents VCSA-to-Internal pivots.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Internet (ANY)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ANY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">DENY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Suppresses C2. Blocks DoH, SOCKS proxies, and data exfiltration.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Egress filtering</span></div></div> <div class="block-paragraph_advanced"><p><strong style="vertical-align: baseline;">Note on Micro-Segmentation:</strong><span style="vertical-align: baseline;"> While physical firewalls secure the management plane (North-South), VMware NSX Distributed Firewall (DFW) is the required standard for controlling guest-to-guest (East-West) traffic. Where applicable, NSX should be used to protect the data plane, while physical network hardware remains the control of the management plane</span><span style="vertical-align: baseline;">.</span></p> <h4><span style="vertical-align: baseline;">Host-Based Firewalls for VCSA and ESXi</span></h4> <p><span style="vertical-align: baseline;">Host-based firewalls should be used in tandem with network-based firewalls to achieve a resilient defense-in-depth posture. While network firewalls effectively manage "North-South" traffic (entering/leaving the subnet), they are blind to "East-West" traffic within the same VLAN. Host-based firewalls are capable of blocking an attacker sitting on the same network segment. By enforcing security at the individual endpoint, organizations can ensure that the access path does not grant logical authority over the vSphere control plane.</span></p> <h4><span style="vertical-align: baseline;">The VCSA Host-Based Firewall (Photon OS)</span></h4> <p><span style="vertical-align: baseline;">Managed via the Virtual Appliance Management Interface (VAMI), the VCSA firewall is a native control to prevent lateral movement from compromised "trusted" entities such as backup servers or monitoring devices that share the management VLAN. The firewall should be used as a primary layer of defense to enforce the "principle of least privilege" at the host network level.</span></p> <p><strong style="vertical-align: baseline;">Strategic Implementation: </strong><span style="vertical-align: baseline;">The default policy should be transitioned to "Default Deny." You should explicitly define authorized IP addresses for every management service.</span></p> <h5><span style="vertical-align: baseline;">Recommended VCSA Host-Based Firewall Scoping</span></h5></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Port</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Protocol </strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Source</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Detail</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">UI / API</strong><span style="vertical-align: baseline;"> (443)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PAW IP + Backup IP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Restricts vSphere Client access to hardened Admin stations.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VAMI</strong><span style="vertical-align: baseline;"> (5480)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PAW IP Only</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Prevents unauthorized SSH enablement or log tampering.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">SSH</strong><span style="vertical-align: baseline;"> (22)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">PAW IP Only</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Eliminates the primary shell residency path.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Heartbeat</strong><span style="vertical-align: baseline;"> (902)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">UDP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ESXi Management Subnet</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Required for continuous Host-to-vCenter synchronization.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Internal</strong><span style="vertical-align: baseline;"> (LADB)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Localhost (127.0.0.1)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Protects local inter-process communication.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">ANY / ANY</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">ANY</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">DENY ALL</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Blocks all unauthorized internal discovery.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">VCSA host-based firewall</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Limitations of the VAMI GUI Firewall</span></h4> <p><span style="vertical-align: baseline;">While the host-based firewall in the VCSA is a mandatory component of a defense-in-depth strategy, administrators should recognize that the standard VAMI GUI has the following operational limitations for defending against threat actors:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Lack of Port-Specific Granularity:</strong><span style="vertical-align: baseline;">The </span><a href="https://knowledge.broadcom.com/external/article/377036/how-to-block-all-traffic-on-vcenter-exce.html" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">VAMI GUI</span></a><span style="vertical-align: baseline;"> lacks the precision required for a True Zero Trust model. In all versions, creating an IP-based rule for a specific server (e.g., a virtual backup server) forces an "all-or-nothing" approach. To grant that server legitimate access to the vSphere API on </span><strong style="vertical-align: baseline;">TCP 443</strong><span style="vertical-align: baseline;">, the administrator is often forced to trust that IP for </span><span style="font-style: italic; vertical-align: baseline;">all</span><span style="vertical-align: baseline;"> ports.<br/><br/></span><strong style="vertical-align: baseline;">The Risk:</strong><span style="vertical-align: baseline;"> This simultaneously grants the backup server unauthorized access to highly sensitive management interfaces like </span><strong style="vertical-align: baseline;">SSH (22)</strong><span style="vertical-align: baseline;"> and the </span><strong style="vertical-align: baseline;">VAMI (5480)</strong><span style="vertical-align: baseline;">. If an attacker compromises the backup server, they inherit an unobstructed management path to the VCSA shell. </span></p> </li> </ul> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Circular Administrative Dependency:</strong><span style="vertical-align: baseline;">A fundamental weakness of the native vCenter host-based firewall is its logical placement within the management plane it is intended to secure. The firewall is managed via the VAMI, which represents a secondary management entry point residing on TCP port 5480. This interface is logically adjacent to the standard vSphere Client (TCP port 443) and is frequently exposed across the same management network segments.<br/><br/></span><strong style="vertical-align: baseline;">The Risk:</strong><span style="vertical-align: baseline;"> Credentials captured via </span><code style="vertical-align: baseline;">BRICKSTEAL</code><span style="vertical-align: baseline;"> grant a threat actor authority to reconfigure the appliance itself. By pivoting to the VAMI, the actor can use their compromised role to deactivate the firewall. This circular dependency ensures the firewall is managed by the very application it is intended to protect, allowing a threat actor to disable controls using the system's own management tools.</span></p> </li> </ul> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Forensic Visibility Gaps:</strong><span style="vertical-align: baseline;">The standard VAMI firewall is designed for connectivity management, not security monitoring. It does not generate remote logs for denied connection attempts or specific shell activity.<br/><br/></span><strong style="vertical-align: baseline;">The Risk:</strong><span style="vertical-align: baseline;"> This blinds security teams to active lateral movement. A threat actor can scan the VCSA from an unauthorized VM multiple times or use a VCSA shell unmonitored; because the firewall does not notify when it blocks a connection and shell commands are not logged, the SOC remains unaware of the intrusion attempt until the final stage of the attack.</span></p> </li> </ul> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Inbound-Only Policy Visibility Gaps:</strong><span style="vertical-align: baseline;">The GUI focuses primarily only on inbound traffic, leaving the Outbound (Egress) policy unmanaged.<br/><br/></span><strong style="vertical-align: baseline;">The Risk:</strong><span style="vertical-align: baseline;"> Modern malware, such as the </span><code style="vertical-align: baseline;">BRICKSTORM</code><span style="vertical-align: baseline;"> backdoor, relies on outbound "Phone Home" (C2) traffic to receive commands. A firewall that does not restrict outbound traffic allows a compromised VCSA to communicate with external malicious infrastructure without restriction.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">To overcome these limitations of the native VAMI firewall, organizations are recommended to consider the transition from native vSphere GUI-based management to OS-level hardening using the underlying Photon Linux iptables or nftables.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Tamper-Proof Integrity:</strong><span style="vertical-align: baseline;"> By implementing granular firewall rules directly at the Photon Linux operating system level, the controls become independent of vCenter application permissions. Even a compromised vCenter Administrator cannot disable Photon OS-level rules via the VCSA GUI.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Granular Logic:</strong><span style="vertical-align: baseline;"> OS-level rules allow for strict "Source IP + Destination Port" mapping, ensuring a backup server only sees port 443 and is rejected on all others.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Transformation into a Sensor:</strong><span style="vertical-align: baseline;"> Unlike the VCSA GUI, Photon OS-level logging can be "bridged" to a security information and event management (SIEM) which transforms every denied connection attempt into a high-fidelity, early-warning alert.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">The VAMI GUI firewall should be viewed as a basic security control, not a comprehensive Tier-0 security control. To effectively mitigate the attack vectors required for advanced campaigns, organizations should bypass the vulnerable GUI and enforce a strictly validated, granular, and logged firewall policy at the VCSA Photon Linux kernel level.</span></p></div> <div class="block-aside"><dl> <dt>aside_block</dt> <dd><ListValue: [StructValue([(&#x27;title&#x27;, &#x27;vCenter Hardening Script&#x27;), (&#x27;body&#x27;, <wagtail.rich_text.RichText object at 0x7f2d9331f6d0>), (&#x27;btn_text&#x27;, &#x27;Get the tool!&#x27;), (&#x27;href&#x27;, &#x27;https://github.com/mandiant/vcsa-hardening-tool&#x27;), (&#x27;image&#x27;, None)])]></dd> </dl></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">The ESXi Hypervisor Firewall</span></h4> <p><span style="vertical-align: baseline;">The ESXi firewall is a stateful packet filter sitting between the VMkernel and the network. Restricting individual services to authorized management IPs is the only way to block an attacker on the same VLAN from reaching the host API or SSH port.</span></p> <p><strong style="vertical-align: baseline;">Strategic Implementation:</strong><span style="vertical-align: baseline;"> Access should be restricted at the service level by deselecting "Allow connections from any IP address" and entering specific management IPs.</span></p> <h5><span style="vertical-align: baseline;">Recommended ESXi Host-Based Firewall Rules</span></h5></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Service Category</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Service Name</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Port / Protocol</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Authorized Source</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Strategic Defensive Value</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Management Access</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SSH Server, vSphere Web Client/Access</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">22, 443 / TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">PAW Subnet / IPs only</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Ensures shell and GUI access is restricted to hardened admin PAWs.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">vCenter Control Plane</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vCenter Agent (vpxa), Update Manager</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">902, 80 / TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA IP Only</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Prevents unauthorized entities from impersonating the VCSA.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Intra-Cluster</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vMotion, HA, Fault Tolerance, DVSSync</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">8000, 8182 / TCP, 12345 / UDP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">ESXi Mgmt Subnet / IPs</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Prevents interception of unencrypted RAM data and heartbeat tampering.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Storage</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">NFC (File Copy), HBR (Replication)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">902, 31031 / TCP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VCSA IP + Cluster IPs</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Prevents unauthorized VMDK extraction or out-of-band data cloning.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Telemetry</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Syslog, SNMP, NTP, DNS</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">514, 161, 123, 53 / UDP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">SIEM &amp; Infra Subnets</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Ensures telemetry and core services are bound to verified internal providers.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Legacy / High Risk</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">CIM Server, SLP (Discovery)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">5988, 5989 / TCP, 427 / UDP</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">EXPLICIT DENY / Monitoring IP</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Neutralizes RCE vectors targeting the primary attack surface used for ESXi-specific ransomware (</span><a href="https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/23599" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">VMSA-2021-0002</span></a><span style="vertical-align: baseline;">).</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">ESXi host-based firewall</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Hardening as a Detection Enabler </span></h4> <p><span style="vertical-align: baseline;">When the infrastructure is configured with a "Default Deny" posture, it creates the friction necessary to expose a threat actor. In an unhardened environment, an attacker's port scan or lateral movement attempt is silent and successful; in a hardened environment, those same actions become indicators of compromise.</span></p> <h5><span style="vertical-align: baseline;">The Multi-Layered Signal Chain</span></h5> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Network-Level Visibility: D</strong><span style="vertical-align: baseline;">etection begins at the transit layer. Organizations should ensure that logging is enabled at the physical network and virtual switch (VDS) levels. This allows the SOC to track the "path" of a threat actor, identifying unauthorized scanning or connection attempts as they traverse subnets toward the vSphere management plane.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Host-Based Firewall Logging (IPtables): </strong><span style="vertical-align: baseline;">While the VCSA provides a management GUI for its firewall, it does not natively log denied access. To transform the appliance into a sensor, host-based firewall logging is strictly dependent on a custom OS-level IPtables configuration. By adding a logging target to the underlying Photon OS kernel, every rejected packet is recorded, providing the proof that an unauthorized threat actor is attempting to access the VCSA.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Immutable Logging:</strong><span style="vertical-align: baseline;"> By enabling Remote Syslog Forwarding, these rejection logs are offloaded instantly. Even if an attacker eventually compromises the host, they cannot delete the local log sources.</span></p> </li> </ul> <h5><span style="vertical-align: baseline;">Early Detection Signals</span></h5> <p><span style="vertical-align: baseline;">By correlating the denied access with identity-based events, organizations can identify a pattern of a </span><code style="vertical-align: baseline;">BRICKSTORM</code><span style="vertical-align: baseline;"> lifecycle event in its earliest stages:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Failed Authentication Alerts:</strong><span style="vertical-align: baseline;"> A log entry in the standard auth.log (for SSH) or a vCenter UserLoginSessionEvent showing a "Failed Login Attempt" from an unauthorized internal IP is a high-value alert.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Account Lockout Events:</strong><span style="vertical-align: baseline;"> When an actor attempts to brute-force or use harvested credentials against local "break-glass" accounts (like administrator@vsphere.local), the resulting "Account Locked" event provides a high-priority signal that a targeted credential attack is in progress.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Behavioral Pattern Correlation:</strong><span style="vertical-align: baseline;"> The most powerful signal occurs when the SIEM correlates these disparate sources. For example, a Firewall Drop (via IPtables) followed immediately by a Failed Login (via SSO) from the same source IP is a high-confidence indicator of an active intrusion attempt.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">Network segmentation at the switch level is a prerequisite, but host-based firewalls are the primary enforcement point of a vSphere Zero Trust architecture. By complementing network-based firewalls with host-level filtering, organizations can eliminate the visibility gap on the management VLAN and transform the VCSA and ESXi hosts into sensors capable of exposing an adversary at the earliest stage of an intrusion.</span></p> <h3><span style="vertical-align: baseline;">Phase 4: Logging and Forensic Visibility</span></h3> <p><span style="vertical-align: baseline;">To facilitate the detection within the vSphere control plane, organizations should achieve comprehensive telemetry across the previously unmonitored layers of the underlying VCSA operating system.</span></p> <p><span style="vertical-align: baseline;">The primary operational advantage exploited in this campaign is the lack of visibility inherent in the virtualization control plane. This monitoring visibility gap is driven by three critical factors:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">The Logging Gap:</strong><span style="vertical-align: baseline;"> By default, VCSA does not forward kernel-level audit logs. If an attacker wipes the local disk, the evidence of their residency is permanently erased.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">The Restricted Logging Pipeline: </strong><span style="vertical-align: baseline;">Standard modern log forwarding agents such as Fluentd or Logstash are not supported for installation on the VCSA. To maintain appliance integrity, defenders are restricted to using the native rsyslog daemon. This prevents on-host log enrichment or advanced parsing, forcing the SIEM to process raw, legacy data streams. This technical complexity often leads to critical kernel-level signals being misclassified or ignored.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Operational Telemetry Fragmentation:</strong><span style="vertical-align: baseline;"> Security indicators are frequently buried within standard cluster and application level events. As detailed in the </span><a href="https://github.com/lamw/vcenter-event-mapping" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">vCenter Event Mapping</span></a><span style="vertical-align: baseline;">, critical actions like </span><code style="vertical-align: baseline;">VmNetworkAdapterAddedEvent</code><span style="vertical-align: baseline;"> or </span><code style="vertical-align: baseline;">VmClonedEvent</code><span style="vertical-align: baseline;"> are logged as routine infrastructure management tasks. Because these signals are operational rather than security-focused, a threat actor's movements are easily disguised as routine tasks.</span></p> </li> </ul></div> <div class="block-paragraph_advanced"><div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table border="1" style="border-collapse: collapse; width: 99.9641%;"> <tbody> <tr> <td style="width: 98.1839%;"> <p><span style="font-style: italic; vertical-align: baseline;">Securing the VCSA requires a transition from passive cluster monitoring to active OS-level hardening, utilizing a 'Default Deny' posture to eliminate the network path often exploited during advanced campaigns. This architectural shift transforms the appliance into a proactive security sensor, where the friction of blocked network activity and initial access serves as a high-fidelity indicator. By moving beyond complex vSphere application telemetry, organizations can generate the precise early warning signals needed to expose a BRICKSTORM intruder at the very moment they attempt unauthorized discovery.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">What is auditd?</span></h4> <p><span style="vertical-align: baseline;">The Linux Audit Daemon (auditd) is the kernel's primary subsystem for tracking security-relevant events. Unlike standard "system logs" (which record application and management events), auditd records system calls. It sees exactly what commands were executed in the shell, which files were modified, and which users escalated privileges. The default Photon auditd rules cover Identity (useradd/del) and privilege escalation (sudo/privileged).</span></p> <h4><span style="vertical-align: baseline;">auditd Status: Verifying the Current Defensive Posture</span></h4> <p><span style="vertical-align: baseline;">auditd is the core forensic foundation for detecting low-level movements. While VCSA Photon logs provide visibility into management tasks, they are fundamentally </span><span style="vertical-align: baseline;">blind to the "living-off-the-land" (LotL) techniques that define this campaign. This threat actor operates deep within the VCSA shell to execute binary injections, modify startup scripts using </span><code style="vertical-align: baseline;">sed</code><span style="vertical-align: baseline;">, and utilize </span><code style="vertical-align: baseline;">sudo</code><span style="vertical-align: baseline;"> to fuel the </span><code style="vertical-align: baseline;">BRICKSTEAL</code><span style="vertical-align: baseline;"> credential harvester. Only auditd, by recording the underlying system calls (</span><code style="vertical-align: baseline;">syscalls</code><span style="vertical-align: baseline;">), provides a </span><span style="vertical-align: baseline;">granular record of these command-line maneuvers. In an environment where traditional EDR is absent, auditd captures the minute behavioral patterns that standard logs ignore.</span></p> <h4><span style="vertical-align: baseline;">The Default Configuration Gap</span></h4> <p><span style="vertical-align: baseline;">Modern VCSAs (vSphere 7 and 8) ship with a pre-configured set of STIG rules (located in </span><code style="vertical-align: baseline;">/etc/audit/rules.d/audit.STIG.rules</code><span style="vertical-align: baseline;">). However, there is a restriction in the default configuration:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Local Only:</strong><span style="vertical-align: baseline;"> By default, auditd writes to a local file (</span><code style="vertical-align: baseline;">/var/log/audit/audit.log</code><span style="vertical-align: baseline;">).</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Invisible to VAMI:</strong><span style="vertical-align: baseline;"> The remote logging you configure in the VAMI (Port 5480) does not include these kernel logs by default.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">The Attack Vector: </strong><span style="vertical-align: baseline;">Actors can gain root access, perform their actions, and simply run </span><code style="vertical-align: baseline;">rm -rf /var/log/audit/*</code><span style="vertical-align: baseline;"> to delete the evidence. Unless these logs are streamed to your SIEM in real time, your forensic </span><span style="vertical-align: baseline;">trail is non-existent.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Local Log Rotation:</strong><span style="vertical-align: baseline;"> Since the local log location is </span><code style="vertical-align: baseline;">/var/log/audit/audit.log</code><span style="vertical-align: baseline;">, it is subject to rotation and deletion. If an attacker wipes this file, the remote syslog version is your only forensic record.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">All auditd logs should be forwarded via the VCSA remote syslog. Remote forwarding of auditd is dependent on a "auditd bridge" configuration. If </span><code style="vertical-align: baseline;">/etc/audisp/plugins.d/syslog.conf</code><span style="vertical-align: baseline;"> is set to </span><code style="vertical-align: baseline;">active = yes</code><span style="vertical-align: baseline;">, these logs will be tagged and forwarded. If set to no, they are stored locally only. To enable remote logging of auditd events and ensure forensic persistence, the following steps should be taken:</span></p> <h5><span style="vertical-align: baseline;">Step A: Check Service and Rule Status</span></h5> <p><span style="vertical-align: baseline;">Before activating the auditd remote logging bridge, you should determine if your VCSA is currently configured for auditd. Run these commands as root:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># 1. Check if the audit service is active systemctl status auditd # 2. List the rules currently enforced by the kernel memory auditctl -l</code></pre></div> <div class="block-paragraph_advanced"><p><span style="font-style: italic; vertical-align: baseline;">If </span><code style="font-style: italic; vertical-align: baseline;">auditctl -l</code><span style="font-style: italic; vertical-align: baseline;"> returns nothing, your rules have not been loaded, and the kernel is not "watching" for attacker behavior.</span></p> <h5><span style="vertical-align: baseline;">Step B: Check the "auditd Bridge" Status</span></h5> <p><span style="vertical-align: baseline;">Verify if kernel events are stored on the local disk or being forwarded to your remote SIEM.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Check the active status of the syslog plugin # Note: vSphere 8 still uses the /etc/audisp/ path for compatibility grep "^active" /etc/audisp/plugins.d/syslog.conf</code></pre></div> <div class="block-paragraph_advanced"><p><span style="font-style: italic; vertical-align: baseline;">I</span><span style="font-style: italic; vertical-align: baseline;">f this returns </span><code style="font-style: italic; vertical-align: baseline;">active = no</code><span style="font-style: italic; vertical-align: baseline;">, remote logging of auditd is not configured. The logs are sent only to the VCSA local disk where an attacker can easily wipe them.</span></p> <h4><span style="vertical-align: baseline;">Mapping Standard STIG Rules to Attacker TTPs</span></h4> <p><span style="vertical-align: baseline;">If your </span><code style="vertical-align: baseline;">auditctl -l</code><span style="vertical-align: baseline;"> output shows the standard rules are now loaded, you have the following rules in place mapped to identified attacker tactics, techniques, and procedures (TTPs). These rules move you from periodic auditing or threat hunting to real-time behavioral detection.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Standard STIG Rule / Key</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">TTP Phase</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Defensive Value</strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-k useradd / -k userdel</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Foothold</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Creates local accounts, deploys backdoors, and deletes them within ~13 minutes. These rules log both ends of this rapid lifecycle.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-k execpriv (execve syscalls)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Binary Execution</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Triggers when the actor executes unauthorized binaries (e.g., </span><code style="vertical-align: baseline;">pg_update</code><span style="vertical-align: baseline;">, </span><code style="vertical-align: baseline;">vmp</code><span style="vertical-align: baseline;">) with root privileges.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-k perm_mod (chmod, chown)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Weaponization</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Actors use sed to inject code into startup scripts and then run </span><code style="vertical-align: baseline;">chmod +x</code><span style="vertical-align: baseline;">. This rule triggers the second the script is made executable.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-k privileged (sudo, su)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Credential Theft</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><code style="vertical-align: baseline;">BRICKSTEAL</code><span style="vertical-align: baseline;"> requires sudo to scrape memory and config files. This logs the original user ID even if they escalate to root.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-k modules (init_module)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Persistence</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Logs attempts to load malicious kernel modules or persistence drivers into the Photon OS.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-k shadow / -k passwd</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Anti-Forensics</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Logs any manual edits to the system's identity files used to create "trapdoor" root users.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Mapping of STIG rules</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Activating Remote Logging for auditd</span></h4> <h5><span style="vertical-align: baseline;">Step 1: Enable the Syslog Plugin</span></h5> <p><span style="vertical-align: baseline;">The Audit Dispatcher (audisp) should be configured to send events to the local syslog service so they can be forwarded via the VCSA remote syslog.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Use sed to change the status from 'no' to 'yes' sed -i 's/^active = no/active = yes/' /etc/audisp/plugins.d/syslog.conf # Verify the change grep "^active" /etc/audisp/plugins.d/syslog.conf</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Step 2: Restart the Audit Daemon</span></h5> <p><span style="vertical-align: baseline;">You should reload the service to initialize the dispatcher and the syslog bridge:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>kill -HUP $(pidof auditd)</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Step 3: Verify the Bridge Is Operational</span></h5> <p><span style="vertical-align: baseline;">Check the local system messages to ensure the plugin has started successfully:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>grep "audisp-syslog" /var/log/messages</code></pre></div> <div class="block-paragraph_advanced"><p><span style="font-style: italic; vertical-align: baseline;">You should see a message indicating the plugin has initialized or starte</span><span style="font-style: italic; vertical-align: baseline;">d.</span></p> <h5><span style="vertical-align: baseline;">Step 4: Confirm Logs Are Forwarded</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>journalctl -f | grep audit</code></pre></div> <div class="block-paragraph_advanced"><p><span style="font-style: italic; vertical-align: baseline;">You should see events with msg=audit prefix.</span></p> <p><strong style="vertical-align: baseline;">Syslog Tag (Key): </strong><span style="vertical-align: baseline;">In your SIEM, you should search for the field </span><code style="vertical-align: baseline;">msg=audit</code><span style="vertical-align: baseline;"> followed by the key="XYZ" (e.g., key="execpriv"). This allows you to filter out of standard system logs and focus only on high-fidelity security events.</span></p> <h4><span style="vertical-align: baseline;">Additional Auditd Rules</span></h4> <p><span style="vertical-align: baseline;">Based on a default audit.STIG.rules output contained in the Photon OS 4.0 STIG auditd config, these three rules should be added.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Recommended Rule Addition</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">TTP </strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Detail </strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-w /usr/bin/rpm -p x -k software_mgmt</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Malware Deployment</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Detects SLAYSTYLE:</strong><span style="vertical-align: baseline;"> Logs the execution of the RPM installer. Essential for spotting the deployment of unauthorized tools or malicious packages.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-w /etc/init.d/ -p wa -k startup_scripts</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Persistence</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Detects Startup Injections:</strong><span style="vertical-align: baseline;"> Directly identifies the sed-based modifications used by threat actors to ensure backdoors survive a reboot.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">-w /root/.ssh/authorized_keys -p wa -k ssh_key_tamper</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Persistence</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Persistence Sensor:</strong><span style="vertical-align: baseline;"> Any write (</span><code style="vertical-align: baseline;">w</code><span style="vertical-align: baseline;">) to the root SSH directory is inherently suspicious and detects the "trapdoor" persistence TTP.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Additional STIG-based rules</span></div></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">Advanced Intrusion Detection Environment (AIDE</span><span style="vertical-align: baseline;">)</span></h4> <p><span style="vertical-align: baseline;">While auditd provides low-level monitoring, AIDE serves as the source of digital validation for the VCSA. AIDE is a host-based file integrity monitoring (FIM) tool that is considered the industry standard for high-security Linux environments and is a requirement for </span><a href="https://stigviewer.cyberprotection.com/stigs/vmware_vsphere_8.0_vcenter_appliance_photon_os_4.0/2024-07-11/finding/V-266062" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">DISA STIG compliance (PHTN-40-000237)</span></a><span style="vertical-align: baseline;">.</span></p> <p><strong style="vertical-align: baseline;">Note: </strong><span style="vertical-align: baseline;">Mandiant recommends organizations perform comprehensive testing and fine-tuning of these rules within a staging environment before production deployment to account for variations in specific vSphere configurations and operational workloads. Proper calibration of monitoring thresholds and file exclusion lists is essential to achieve an optimal signal-to-noise ratio and ensure high-fidelity alerting of unauthorized modification</span><span style="vertical-align: baseline;">s.</span></p> <h4><span style="vertical-align: baseline;">Why AIDE Is Essential Alongside auditd</span></h4> <p><span style="vertical-align: baseline;">Relying on a single telemetry stream is insufficient to counter the sophisticated tactics of BRICKSTORM. By pairing AuditD's behavioral auditing with AIDE's cryptographic integrity checks, organizations establish a mutual defense that reduces an attacker's ability to operate undetected.</span></p> <ul> <li><strong style="vertical-align: baseline;">auditd (Behavioral Monitoring): </strong><span style="vertical-align: baseline;">Captures the </span><span style="font-style: italic; vertical-align: baseline;">action</span><span style="vertical-align: baseline;"> (e.g., "Root used </span><span style="vertical-align: baseline;">sed</span><span style="vertical-align: baseline;"> to modify a script"). If an attacker achieves high-level privileges and "blinds" the audit service or wipes the local logs, the behavioral trail is lost.</span></li> <li><strong style="vertical-align: baseline;">AIDE (State Monitoring): </strong><span style="vertical-align: baseline;">Captures the </span><span style="font-style: italic; vertical-align: baseline;">result</span><span style="vertical-align: baseline;">. AIDE creates a cryptographic baseline (DNA fingerprint) of every critical system file. It does not care how a file was changed or if the audit logs were wiped; it only cares that the file is no longer authentic.</span></li> </ul> <h4><span style="vertical-align: baseline;">Using AIDE Alongside auditd</span></h4> <p><span style="vertical-align: baseline;">The following steps walk through how to verify the current AIDE integrity foundation, add </span><code style="vertical-align: baseline;">BRICKSTORM</code><span style="vertical-align: baseline;"> specific detections, and establish an immutable cryptographic baseline.</span></p> <h5><span style="vertical-align: baseline;">1: Diagnostic Assessment</span></h5> <p><span style="vertical-align: baseline;">Before modifying the environment, you should confirm the AIDE configuration status. Log in to the VCSA via SSH and run these commands as root:</span></p> <p><span style="vertical-align: baseline;">Confirm </span><a href="https://github.com/vmware/photon/blob/master/SPECS/aide/aide.spec" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">AIDE</span></a><span style="vertical-align: baseline;"> is installed and compiled with the required config </span><span style="font-style: italic; vertical-align: baseline;">(WITH_AUDIT and SHA-512).</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Check version and compiled options aide -v</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">2. Verify the AIDE Database</span></h5> <p><span style="vertical-align: baseline;">AIDE requires that a cryptographic baseline (snapshot) exists. Check the status of the database:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Resolve the database directory (typically /var/lib/aide) grep "@@define DBDIR" /etc/aide.conf # Check for the active database ls -lh /var/lib/aide/aide.db.gz</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">If aide.db.gz is missing, you have no baseline. If it exists but the timestamp is months old, your integrity foundation is stale and will produce high-noise alerts during a check.</span></p> <h5><span style="vertical-align: baseline;">3. Audit Current AIDE Coverage </span></h5> <p><span style="vertical-align: baseline;">Determine which parent directories are currently being monitored by the default rules:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Filter for active file selection rules grep -v "^#" /etc/aide.conf | grep "^/"</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">4. Editing AIDE Rule Set for BRICKSTORM Coverage </span></h5> <p><span style="vertical-align: baseline;">Open the configuration file. </span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>vi /etc/aide.conf</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Append these </span><code style="vertical-align: baseline;">BRICKSTORM</code><span style="vertical-align: baseline;"> specific rules to the bottom. Use the STIG rule group to ensure SHA-512 enforcement.</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># --- BRICKSTORM TARGETS --- /root/.ssh STIG # Detects unauthorized SSH /lib64 STIG # Detects system-level libraries /etc/aide.conf STIG # Detects tampering with AIDE /etc/audit/ STIG # Detects attempts to edit config /etc/audisp/ STIG # Detects attempts to sever bridge</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Append the file for log exclusions to reduce noise [the ! should come before the rules that tell AIDE to watch the parent folders (like /opt or /etc)].</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># --- NOISE REDUCTION: EXCLUDE DYNAMIC LOGS --- !/var/log/.* # Ignore all standard logs !/opt/vmware/var/log/.* # Ignore vCenter-specific service logs !/var/lib/.* # Ignore dynamic database/state files</code></pre></div> <div class="block-paragraph_advanced"><p><strong style="vertical-align: baseline;">Note:</strong><span style="vertical-align: baseline;"> Remove all # from append statements.</span></p> <h5><span style="vertical-align: baseline;">5. Initializing the AIDE Database</span></h5> <p><span style="vertical-align: baseline;">Once the rules are defined, you should generate a new cryptographic snapshot. This should only be performed when the VCSA is verified clean (e.g., immediately after patching).</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># 1. Initialize the new fingerprint database aide --init # 2. Activate the database mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Copy the aide.db.gz to a read-only, off-box location. Comparing the VCSA against an off-box "Gold Image" ensures that even root-level attackers cannot hide their modifications by re-initializing the local database.</span></p> <h5><span style="vertical-align: baseline;">6. Enable the Remote Logging of AIDE Events via Logger Pipe</span></h5></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Run a check and bridge the output to Syslog/SIEM aide --check | logger -t AIDE_TRAP -p local6.crit</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">7. Enable Automation of AIDE Database Check</span></h5> <p><span style="vertical-align: baseline;">To move from manual oversight to automated alerting, you should establish a recurring scheduled task. This ensures that the VCSA programmatically verifies its own state and reports any discrepancies.</span></p> <p><span style="vertical-align: baseline;">Open crontab:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>crontab -e</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Add the following edit to configure the task:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code># Execute check every 6 hours and send results via VCSA remote syslog 0 */6 * * * /usr/bin/aide --check | logger -t AIDE_TRAP -p local6.crit</code></pre></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">8. Conduct a Test Event</span></h5> <p><span style="vertical-align: baseline;">To confirm your defense is operational and your SIEM is successfully receiving AIDE alerts, perform a simulated breach.</span></p> <p><span style="vertical-align: baseline;">Add a comment to a monitored area (e.g., /etc/rc.local):</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>echo "# Forensic Bridge Test" >> /etc/rc.local</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Trigger a remote event trap:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>aide --check | logger -t AIDE_TRAP -p local6.crit</code></pre></div> <div class="block-paragraph_advanced"><p><span style="vertical-align: baseline;">Verify the Alert: Check the VCSA remote syslog target for the tag AIDE_TRAP:</span></p></div> <div class="block-paragraph_advanced"><pre class="language-plain"><code>AIDE found differences between database and filesystem!! followed by Changed files: /etc/rc.local.</code></pre></div> <div class="block-paragraph_advanced"><h4><span style="vertical-align: baseline;">VCSA Shell History</span><strong style="vertical-align: baseline;"> </strong></h4> <p><span style="vertical-align: baseline;">On a Photon-based VCSA, the </span><code style="vertical-align: baseline;">/root/.bash_history</code><span style="vertical-align: baseline;"> file is not replicated to any other log file, nor is it sent to a remote syslog by default. This represents a major forensic visibility gap that threat actors take advantage of to maintain their unmonitored persistence.</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">The Buffer Issue:</strong><span style="vertical-align: baseline;"> Commands typed into the shell are kept in a memory buffer. They are only written (appended) to the physical file on the disk when the user logs out of the session.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">The Anti-Forensics Risk:</strong><span style="vertical-align: baseline;"> If a threat actor gains shell access, their first move is often to run </span><code style="vertical-align: baseline;">unset HISTFILE</code><span style="vertical-align: baseline;"> or </span><code style="vertical-align: baseline;">history -c</code><span style="vertical-align: baseline;">. This prevents the memory buffer from ever being written to the disk. Even if the file is written, an attacker can simply run </span><code style="vertical-align: baseline;">rm /root/.bash_history</code><span style="vertical-align: baseline;"> before exiting.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">No Remote Transmission:</strong><span style="vertical-align: baseline;"> Standard VCSA syslog configurations monitor directories like </span><code style="vertical-align: baseline;">/var/log/</code><span style="vertical-align: baseline;">. They do not monitor hidden user files like </span><code style="vertical-align: baseline;">.bash_history</code><span style="vertical-align: baseline;">.</span></p> </li> </ul> <p><span style="vertical-align: baseline;">The reason the auditd remote syslog discussed in the </span><a href="https://docs.google.com/document/d/1Qdj2nlx3yV1KoNveQ5lxFFyslKdhNXLEccIHHuYqEc8/edit?tab=t.0#heading=h.q04njdd8vhz4" rel="noopener" target="_blank"><span style="text-decoration: underline; vertical-align: baseline;">previous steps</span></a><span style="vertical-align: baseline;"> is so critical is that it bypasses the need for </span><code style="vertical-align: baseline;">.bash_history</code><span style="vertical-align: baseline;"> entirely. auditd intercepts system calls (syscalls) at the kernel level and exfiltrates detailed forensic data including the original User ID (AUID) and command outcomes to a remote SIEM as the command is executed. This bridge ensures that even if a threat actor purges local logs or crashes the session, an immutable, real-time audit trail remains securely preserved off-appliance.</span></p> <h4><span style="vertical-align: baseline;">Logging Design Principles</span></h4> <p><span style="vertical-align: baseline;">Recent </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">CISA reporting and GTIG analysis </span></a><span style="vertical-align: baseline;">describe threat actors abusing management interfaces (including enabling SSH), making persistence-related configuration changes, and using vCenter capabilities to access high-value virtual machines. An organization's logging strategy should therefore prioritize management-plane audit trails, service-state changes, identity events, hypervisor telemetry, and centralized forwarding.</span></p> <ol> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Centralize first, then tune.</strong><span style="vertical-align: baseline;"> Forward logs off-host in near real time so an attacker cannot tamper with them by wiping local disks. Configure both VCSA and ESXi to forward to a central syslog/SIEM target.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Treat logs as Tier-0 data.</strong><span style="vertical-align: baseline;"> If vCenter is Tier-0, then vCenter/ESXi logs are also Tier-0. Restrict who can read them, who can change forwarding settings, and who can stop logging services.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Make timestamps defensible. </strong><span style="vertical-align: baseline;">Ensure consistent Network Time Protocol (NTP) across VCSA, ESXi hosts, jump boxes, and log collectors so correlation is reliable during an incident.</span></p> </li> <li aria-level="1" style="list-style-type: decimal; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Log the actions that matter, not everything. </strong><span style="vertical-align: baseline;">For threat actor activity, you care less about generic "system is running" noise and more about: who accessed management, what changed, what was cloned/exported, what services were enabled, what binaries/configs were modified, and where the appliance/host talked to on the network.</span></p> </li> </ol> <p><span style="vertical-align: baseline;">Organizations should establish a "</span><a href="https://cloud.google.com/blog/topics/threat-intelligence/defending-vsphere-from-unc3944?e=48754805"><span style="text-decoration: underline; vertical-align: baseline;">vSphere logging fundamentals</span></a><span style="vertical-align: baseline;">" previously described by Mandiant by offloading all infrastructure logs to a centralized, remote SIEM. </span></p> <h5><span style="vertical-align: baseline;">The vSphere Unified Logging Architecture</span></h5> <p><span style="vertical-align: baseline;">The following summary table provides a definitive map of the vSphere telemetry streams described. By implementing these steps, organizations can move from a single localized log to a multilayered remote detection architecture that covers the entire </span><code style="vertical-align: baseline;">BRICKSTORM</code><span style="vertical-align: baseline;"> malware lifecycle.</span></p></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Type</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Forensic Layer</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Signal Observed </strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">TTP Phase</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Detail </strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">vCenter Application Events</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Management Plane (API/UI)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Programmatic Event IDs: VmClonedEvent, VibInstalledEvent, HostSshEnabledEvent</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Initial Access / Exfiltration</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Tells you "</span><strong style="vertical-align: baseline;">What</strong><span style="vertical-align: baseline;">" high-level action was performed (e.g., a domain controller was cloned) and the Admin IP responsible.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Identity (SSO) Events</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Identity Layer</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Principal Events: com.vmware.sso.PrincipalManagement</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Persistence </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detects "</span><strong style="vertical-align: baseline;">Who</strong><span style="vertical-align: baseline;">" was created. Specifically catches the transient accounts used as deployment vehicles for backdoors.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">AuditD Kernel Logs</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">OS Kernel (Photon OS)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Syscall Keys: key="execpriv", key="useradd", key="privileged"</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Persistence </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Tells you "</span><strong style="vertical-align: baseline;">How</strong><span style="vertical-align: baseline;">" the shell was used. Captures commands typed by an intruder (e.g., sudo, sed, rpm) even if they delete their bash history.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">AIDE Integrity </strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Filesystem</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Syslog Tag: AIDE_TRAP stating: "differences found between database and filesystem"</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Establish Persistence</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Tells you "</span><strong style="vertical-align: baseline;">What </strong><span style="vertical-align: baseline;">was modified" to ensure residency. Detects physical changes to binaries and startup scripts that standard logs miss.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">IPtables OS Firewall</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Network Layer (Host-Based)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Kernel Message: VCSA_FW_DROP + Source IP + Destination Port</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Initial Access / Lateral Movement </span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Tells you "</span><strong style="vertical-align: baseline;">Who</strong><span style="vertical-align: baseline;"> is probing?". Identifies compromised internal VMs attempting to scan or brute-force VCSA management ports (SSH/VAMI).</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">vSphere VCSA logging</span></div></div> <div class="block-paragraph_advanced"><h5><span style="vertical-align: baseline;">Implementation Best Practices</span></h5> <p><span style="vertical-align: baseline;">For both the VCSA and ESXi hosts, the implementation of remote syslog should move beyond legacy, unencrypted protocols. The following standards are required to ensure the integrity and survivability of the forensic trail:</span></p> <ul> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Encryption via TLS (TCP Port 6514):</strong><span style="vertical-align: baseline;"> Sending logs over UDP/514 is insecure and unreliable. Threat actors can access management traffic or spoof log entries. Organizations should enforce TCP with TLS encryption for all syslog traffic. This ensures that logs are encrypted in transit and guarantees delivery through the TCP handshake.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Certificate Validation:</strong><span style="vertical-align: baseline;"> To prevent man-in-the-middle (MitM) attacks on the logging pipeline, the VCSA and ESXi hosts should be configured to validate the SSL certificate of the remote syslog server. This ensures that telemetry is being sent to a verified security authority and not a rogue listener controlled by the attacker.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">VCSA Custom Shell Bridging:</strong><span style="vertical-align: baseline;"> Because the VCSA does not forward shell activity or denied firewall connections by default, administrators should consider implementing an agentless bridge at the Photon OS level. By configuring the </span><code style="vertical-align: baseline;">audisp</code><span style="vertical-align: baseline;"> (Audit Dispatcher) and piping </span><code style="vertical-align: baseline;">iptables</code><span style="vertical-align: baseline;"> logs into the native rsyslog service, the VCSA is transformed from a passive appliance into an active sensor, capable of streaming real-time kernel-level alerts directly into the encrypted TLS pipeline.</span></p> </li> <li aria-level="1" style="list-style-type: disc; vertical-align: baseline;"> <p role="presentation"><strong style="vertical-align: baseline;">Standardized Retention:</strong><span style="vertical-align: baseline;"> Given this threat actor's dwell time averages 393 days, the remote syslog repository should be configured with a minimum retention period of 400 days. This allows investigators to correlate the programmatic </span><code style="vertical-align: baseline;">eventTypeId</code><span style="vertical-align: baseline;"> of a year-old initial compromise with the low-level auditd signals of a current breach.</span></p> </li> </ul> <h5><span style="vertical-align: baseline;">Summary of Logging Detections</span></h5></div> <div class="block-paragraph_advanced"><div align="left"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"> <div style="color: #5f6368; overflow-x: auto; overflow-y: hidden; width: 100%;"><table><colgroup><col/><col/><col/><col/></colgroup> <tbody> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Attack Phase</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">TTP</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Key Forensic Log Source(s)</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Technical Detail </strong></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Initial Access</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Edge Appliance Exploitation</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Tomcat Audit Logs: /home/kos/auditlog/fapi_cl_audit_log.log</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detects requests to /manager/text/deploy (CVE-2026-22769) to deploy malicious WAR files like </span><strong style="vertical-align: baseline;">SLAYSTYLE</strong><span style="vertical-align: baseline;">.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Reconnaissance &amp; Scanning</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">VCSA firewall_audit: </span><strong style="vertical-align: baseline;">SSH_BLOCKED_NEW,</strong><span style="vertical-align: baseline;"> </span><strong style="vertical-align: baseline;">WEB_BLOCKED_NEW</strong><span style="vertical-align: baseline;">, </span><strong style="vertical-align: baseline;">VAMI_BLOCKED_NEW</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Identifies attempts to probe management ports (22, 443, 5480) from unauthorized, non-whitelisted IPs.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Lateral Movement</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Credential Abuse</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Windows Event 4624 (Type 3); VCSA firewall_audit: </span><strong style="vertical-align: baseline;">ALLOWED SSH</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detects network logins from appliance IPs using stolen service account credentials.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Stealth Pivoting (Ghost NICs)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vCenter Events: </span><strong style="vertical-align: baseline;">VmNetworkAdapterAddedEvent</strong><span style="vertical-align: baseline;"> (8.0u3+) or </span><strong style="vertical-align: baseline;">VmReconfiguredEvent</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VmNetworkAdapterAddedEvent </strong><span style="vertical-align: baseline;">is a high-fidelity "Critical" signal for bridging VMs into restricted networks. Legacy builds use </span><strong style="vertical-align: baseline;">VmReconfiguredEvent </strong><span style="vertical-align: baseline;">to track unauthorized NIC additions.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Takeover</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Management Interface Access</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VAMI Logs</strong><span style="vertical-align: baseline;">: /var/log/vmware/vami/vami-httpd.log</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Records POST requests to /rest/com/vmware/cis/session followed by SSH enablement via PUT requests on port 5480.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Interactive Shell Escape</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SSO Audit (PrincipalManagement); VCSA </span><strong style="vertical-align: baseline;">SHELL_COMMAND</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitors membership changes to </span><strong style="vertical-align: baseline;">BashShellAdministrators</strong><span style="vertical-align: baseline;"> to escape VAMI to bash; tracks interactive commands like whoami or netstat.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Persistence</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Startup Script Injections</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AuditD Key -k startup_scripts; VCSA init files</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detects</span><strong style="vertical-align: baseline;"> sed</strong><span style="vertical-align: baseline;"> commands modifying /etc/sysconfig/init or /opt/vmware/etc/init.d/vami-lighttp.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Transient SSO Accounts</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">SSO Audit (audit_events.log)</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Rapid creation and deletion of local accounts (e.g., in vsphere.local) used solely for malware deployment.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Filesystem Integrity / Binary</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AIDE Monitor (</span><strong style="vertical-align: baseline;">AIDE_TRAP</strong><span style="vertical-align: baseline;">); AuditD Key -k execpriv</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detects physical changes to binaries in</span><strong style="vertical-align: baseline;"> /lib64 </strong><span style="vertical-align: baseline;">or </span><strong style="vertical-align: baseline;">/root/.ssh</strong><span style="vertical-align: baseline;"> and execution of unauthorized binaries like</span><strong style="vertical-align: baseline;"> vmsrc</strong><span style="vertical-align: baseline;">.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Rogue "Ghost VMs"</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">AUDIT log</span></p> <p><span style="vertical-align: baseline;">“vmx -x” /var/log/shell.log</span></p> <p><span style="vertical-align: baseline;">“/bin/vmx” /var/log/shell.log</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Detection of unregistered virtual machine files (.vmx) hidden from standard management consoles.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Credential Theft</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Tomcat Memory Scraping</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vCenter Web Logs; AuditD Key -k privileged</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Monitors HTTP requests to /web/saml2/sso/* </span><strong style="vertical-align: baseline;">(BRICKSTEAL</strong><span style="vertical-align: baseline;">); tracks sudo usage for scraping memory or DB credentials.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Offline NTDS.dit Theft</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">vCenter Events; vCenter VPXD Logs; ESXi hostd.log</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">VmClonedEvent</strong><span style="vertical-align: baseline;"> or </span><strong style="vertical-align: baseline;">VmBeingClonedEvent</strong><span style="vertical-align: baseline;"> targeting domain controllers followed by </span><strong style="vertical-align: baseline;">VmDiskHotPlugEvent</strong><span style="vertical-align: baseline;"> to mount disks offline to extract the ntds.dit database.</span></p> </td> </tr> <tr> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><strong style="vertical-align: baseline;">Exfiltration</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">C2 &amp; Data Tunnelling</span></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">VCSA firewall_audit: </span><strong style="vertical-align: baseline;">INTERNET_BLOCKED</strong><span style="vertical-align: baseline;">, </span><strong style="vertical-align: baseline;">ZT_OUTBOUND_DENIED</strong></p> </td> <td style="vertical-align: middle; border: 1px solid #000000; padding: 16px;"> <p><span style="vertical-align: baseline;">Captures VCSA attempting unauthorized outbound calls to external C2 nodes via SOCKS proxies or DoH.</span></p> </td> </tr> </tbody> </table></div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <div align="left" style="text-align: center;"><span style="vertical-align: baseline; color: #5f6368; display: block; font-size: 16px; font-style: italic; margin-top: 8px; width: 100%;">Mapping of logging and detections</span></div></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Conclusion</span></h3> <p><span style="vertical-align: baseline;">It is critical for organizations to recognize that the vCenter Server control plane is a primary target for state-sponsored espionage and global ransomware operations. Technical hardening is essential to create the friction required to generate high-fidelity signals. By enforcing barriers such as VCSA OS-level firewalls, phishing-resistant MFA, and restricted management interfaces, organizations force a threat actor to attempt actions that are inherently suspicious.</span></p> <p><span style="vertical-align: baseline;">Addressing forensic visibility gaps through the implementation of auditd, AIDE, and centralized remote logging ensures that evidence of persistence is preserved for incident response activities. Organizations should leverage this enhanced telemetry to build pattern-based behavioral detections rather than relying on static Indicators of Compromise (IoCs). As adversaries </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/threat-actor-usage-of-ai-tools?linkId=60744246"><span style="text-decoration: underline; vertical-align: baseline;">increasingly leverage AI</span></a><span style="vertical-align: baseline;"> across the entire attack lifecycle, the hardening and logging controls outlined in this guide should become the universal vSphere security baseline to ensure every unauthorized movement results in an immediate and immutable forensic response.</span></p></div>