How Falcon Next-Gen SIEM Protects Enterprises from VMware vCenter Attacks

One challenge of correlating all of the attack stages together is the events for uploading an ISO are not associated with a VM, so a key component of detecting the attack chain is to first collect all of the VM-related activities (create, attach ISO, start) with the ISO upload events. To facilitate detection of this technique, we can leverage CQL to identify these VM-related activities, in addition to the ISO upload events, as shown in the query below.
The following sections will cover a handful of threats against vCenter instances. They are accompanied by the rule templates created by CrowdStrike that can be used to detect the described attacks.
With CrowdStrike Falcon® Next-Gen SIEM, CrowdStrike gives defenders the ability to quickly detect and respond to threats targeting vCenter. We’ve created a new parser and numerous rule templates and dashboards for Falcon Next-Gen SIEM to better protect organizations from these attacks. In this blog, we detail in-the-wild attacks targeting vCenter, the corresponding rule templates that may be used to detect these threats, and how customers can ingest vCenter logs into Falcon Next-Gen SIEM.

Attacks Seen in the Wild

In this attack scenario, the adversary attempts to establish persistence by downloading an unmanaged ISO file to a compromised system. Once downloaded, the ISO is uploaded to vCenter from the foothold system. Alternatively, the adversary could simply use an ISO already present within vCenter, such as a base Windows image that was left by administrators.

Bring Your Own (BYO) ISO Persistence

Past events underscore the urgency of securing vCenter instances. In January 2024, VMware confirmed that a critical vCenter Server remote code execution vulnerability (CVE-2023-34048), patched in October 2023, was under active exploitation. This vulnerability allowed attackers to remotely execute code without authentication, potentially giving them full control over an organization’s virtual infrastructure.
Either way, the adversary uses this ISO to create a virtual machine they use for continued operations within the environment. This enables persistence for the adversary, as the unmanaged operating system now runs from vCenter and is accessible to and wholly owned by the threat actor, with limited visibility of the new host to the organization being compromised.

Detecting BYO ISOs

Internet-facing assets are targeted for many reasons, such as to establish persistence, evade defensive capabilities, and access sensitive networks. According to the search engine Shodan, approximately 1,600 VMware vSphere instances are directly accessible via the internet, representing a significant attack surface. Defending them is critical: A compromised vCenter instance can lead to full control over an organization’s virtual infrastructure, potentially impacting business continuity, data confidentiality, and overall security posture.

1. Upload the ISO into a vCenter datastore.
2. Create an unmanaged virtual machine (VM) appliance on the vCenter server.
3. Attach the newly uploaded ISO to the newly created VM.
4. Start the VM.

To detect BYO ISO persistence, first we must break down the attack path into individual stages. This attack contains four stages, which is a good recipe for correlation, as outlined below.

#Vendor="vmware" #event.module="vcenter" (#event.dataset="vcenter.vpxd" OR #event.dataset="vcenter.vpxd-main")
    | #event.kind="event"    
    // Select and categorize events based on the stage of the  attack
    | case {
        #event.dataset="vcenter.vpxd" Vendor.message=/Files+?uploads+?tos+?path/ Vendor.message=/completeds+?withs+?statuss+?'True'/ Vendor.message=/.iso/i 
        | attack_stage := "upload_iso";        
        #event.dataset="vcenter.vpxd" Vendor.message=/vim.event.VmCreatedEvent/ 
        | attack_stage := "create_vm";
        #event.dataset="vcenter.vpxd" Vendor.message=/vim.event.VmStartingEvent/ 
        | attack_stage := "start_vm";
        #event.dataset="vcenter.vpxd-main" Vendor.message=/vim.vm.ConfigSpec/ Vendor.fileName=/.iso/i Vendor.summary=/ISO/
        | attack_stage := "attach_iso";
    }
    | splitString(field=Vendor.fileName, by="/",index=-1, as=file_name)
    | vm_name := coalesce([Vendor.folder_name,Vendor.vm_name])
    | groupBy(field=[host.name,vm_name], function=collect([#Vendor,#event.module,event.category[0],attack_stage,file_name]))
    | case{
        // Look for VMs that exhibit 3 stages
        attack_stage=/create_vm/m attack_stage=/start_vm/m attack_stage=/attach_iso/m;
        // All ISO uploads. Note: ISO uploads are not connected to the VM.
        attack_stage=/upload_iso/m; 
    } 

    // Create individual events for each file name to assess the stages for each individual ISO file.
    | regex(field=file_name, regex="^(?.+?)(n|$)", repeat=true)    
    // Remove folder name of where the ISO was stored.
    | case {
        attack_stage=/upload_iso/m 
        | vm_name := "";
        *
    }
    // Group events based on iso file name
    | groupBy([host.name,file_name], function=collect([#Vendor,#type,event.category[0],attack_stage,vm_name]))
    | replace(regex="n",field=vm_name, replacement="", as=vm_name)
    // Look for ISO files that are present in all four stages of the attack
    | attack_stage=/create_vm/mi attack_stage=/start_vm/mi attack_stage=/attach_iso/mi attack_stage=/upload_iso/mi
    | summary := format(format="A potential rogue VM (%s) was identified on vCenter Server (%s). It was created with recently uploaded ISO %s.",field=[vm_name,host.name,file_name])