search

LOLESXi-Project / LOLESXi

LOLESXi is a curated compilation of binaries/scripts available in VMware ESXi that are were used to by adversaries in their intrusions. This project gathers procedural examples from public reports of adversarial activities targeting ESXi hosts
https://lolesxi-project.github.io/LOLESXi/
GNU General Public License v3.0
105 stars 6 forks source link

Only Open Source Documented Procedures Included? #18

Closed AlbinoGazelle closed 3 days ago

AlbinoGazelle commented 5 days ago

Should we only include examples that have direct proof of being used by adversaries? In Mandiant's blog post here: https://cloud.google.com/blog/topics/threat-intelligence/vmware-detection-containment-hardening they note the default behavior of the ESXi firewall is to drop packets but a threat actor could leverage esxcli to set the default behavior to pass packets, essentially disabling the firewall. See network firewall set command here: https://developer.broadcom.com/xapis/esxcli-command-reference/7.0.0/namespace/esxcli_network.html

I'd like to include this in the project, let me know if that makes sense!

blueteam0ps commented 4 days ago

@AlbinoGazelle - Thanks for reaching out. Let's capture it and make a note to state that the actual command run by the TA is not available via CTI reporting and the example provided is via vendor doco. Are you able to add this ?