The following exercises demonstrate how a ZeroLock Agent provides an ESXi Hypervisor with protection against malicious activity.
Anti-Tampering
The first is by attempting to kill the ZeroLock Agent.
1. ssh to the ESXi systemNote: SSH-MFA alert is generated
2. Attempt to kill ZeroLock: pkill -9 zerolock
Test result:
- ssh session is closed.
- Tampering alert is generated.
The Tampering Protection is controlled by the Configuration Profile assigned to the endpoint. By default, the response type is set to Kill.
Program Filter
Program filtering is part of the layered protection provided by the ZeroLock agent. Program filtering stops any executable from being launched if installed after the ZeroLock Agent.
1. ssh to the ESXi system
Note: SSH-MFA alert is generated
2. Create a simple script to create a new directory and add 30 text files:a. vi createfiles.sh
#!/bin/sh
rm -rf ./test_files
mkdir -p ./test_files
for i in `seq 1 30`
do
echo "ABCDEFGHIJKLMNOPABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJ" > ./test_files/$i.tx
done
b. Make the script executable: chmod +x createfiles.sh
c. Execute the script: ./createfiles.sh
Test result:
- ssh session is closed.
- BLOCK alert is generated.
- Click the Remediation button on the ZMC. Notice the createfiles.sh file is deleted. The file deletion happens because remediation restores all actions during the networked session. Since the file was created within the same session as the execution, all actions are restored.
The Program Filtering is controlled by the Configuration Profile assigned to the endpoint. By default, the Enabled Program Filter is checked (Green) meaning it is active. Disabling the Program Filter allows new processes to be executed after the ZeroLock Agent has been installed and activated.
OpenSSL Ransomware Attack
- Turn off Program Filtering to allow the creation of test directory and files.
a. Login to the ZeroLock Management Console.
b. Click on System Configuration | Config Profiles | Default | Edit
c. On the Edit Configuration Profile screen, go to the ESXi block and click on the Enable Program Filter option. This will change the color of the block from green to red.
d. Lastly, click the Update button.
NOTE: Wait a minimum of 60 seconds to allow the endpoint to get the configuration change.
2. Create a simple script to create a new directory and add 30 text files:
a. vi createfiles.sh#!/bin/sh
rm -rf ./test_files
mkdir -p ./test_files
for i in `seq 1 30`
do
echo "ABCDEFGHIJKLMNOPABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJ" > ./test_files/$i.tx
done
b. Make the script executable: chmod +x createfiles.sh
c. Execute the script: ./createfiles.sh
3. Exit the ssh session
4. ssh to the ESXi system
Note: an SSH-MFA alert is generated
5. Run the ransomware attack targeting the newly created directory and files by executing the following command:
grep -r '/test_files' -e "" -l | xargs -P 10 sh -c 'for arg do openssl enc -aes-256-cbc -md sha256 -salt -pass pass:$PASS_DEC -in "$arg" -out "$arg".☢; rm "$arg"; done'
Test results:
- Ransomware alert is generated.
- Under ACTIONS, User has the option to Kill or Release alert.
- Select Kill from the drop down to kill the attacking process and close the ssh session.
- Then click Remediate to restore the system back to the status before the attack.
You have successfully completed testing ZeroLock® Agent ESXi Protection.