Suspicious Renaming of ESXI index.html File

 1[metadata]
 2creation_date = "2023/04/11"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.5.0"
 7updated_date = "2023/04/11"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies instances where the "index.html" file within the "/usr/lib/vmware/*" directory is renamed on a Linux system.
13The rule monitors for the "rename" event action associated with this specific file and path,
14which could indicate malicious activity.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious Renaming of ESXI index.html File"
21references = [
22    "https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/",
23]
24risk_score = 47
25rule_id = "c125e48f-6783-41f0-b100-c3bf1b114d16"
26severity = "medium"
27tags = ["Elastic", "Host", "Linux", "Threat Detection", "Defense Evasion"]
28timestamp_override = "event.ingested"
29type = "eql"
30query = '''
31file where host.os.type == "linux" and event.action == "rename" and file.name : "index.html" and
32file.Ext.original.path : "/usr/lib/vmware/*"
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1036"
40name = "Masquerading"
41reference = "https://attack.mitre.org/techniques/T1036/"
42[[rule.threat.technique.subtechnique]]
43id = "T1036.003"
44name = "Rename System Utilities"
45reference = "https://attack.mitre.org/techniques/T1036/003/"
46
47
48
49[rule.threat.tactic]
50id = "TA0005"
51name = "Defense Evasion"
52reference = "https://attack.mitre.org/tactics/TA0005/"```