search

LOLESXi-Project / LOLESXi

LOLESXi is a curated compilation of binaries/scripts available in VMware ESXi that are were used to by adversaries in their intrusions. This project gathers procedural examples from public reports of adversarial activities targeting ESXi hosts
https://lolesxi-project.github.io/LOLESXi/
GNU General Public License v3.0
105 stars 6 forks source link

scp and file/tool transfer function #16

Open tropChaud opened 1 month ago

tropChaud commented 1 month ago

Are you open to adding scp and probably an associated new function for something like "file transfer" or "tool transfer" (likely T1570)? If so I'm happy to open a PR

Apparently used by CACTUS ransomware actors to distribute their encryptor after initial compromise of the environment: "The threat actors copied the executable file, labeled with the victim's ID, to the hosts via SCP and granted it execution rights. scp -t '/{Victim ID}" https://www.bitdefender.com/blog/businessinsights/cactus-analyzing-a-coordinated-ransomware-attack-on-corporate-networks/

The -t flag appears more like a log artefact rather than a common execution parameter so I would focus on the command format provided in Atomic Red Team for example: https://www.reddit.com/r/vmware/comments/12qzrxg/auditing_vsphere_datastore_activities_download/

*Edited to provide Atomic Red Team link

blueteam0ps commented 1 month ago

@tropChaud It is unclear if the TA has used scp from another host to copy it over to the ESXi host or used the scp on available on the ESXi host according to the write-up.

blueteam0ps commented 1 day ago

@tropChaud any update on this pls?