Critical Hunting Guide TLP:CLEAR CISA Verified

BRICKSTORM Backdoor

Threat Hunting Guide • 5-7 hours

Comprehensive hunting procedures for detecting BRICKSTORM backdoor deployed by PRC state-sponsored actors (UNC5221/WARP PANDA) targeting VMware vCenter and ESXi infrastructure. Based on CISA Analysis Report AR25-338A.

🎯

Hunt Modules

⏱️

Duration

5-7 hrs

🖥️

Target Systems

vCenter/ESXi

📋

Source

CISA

⏳

Avg Dwell Time

393 days

📄

Download Full Hunting Guide

Complete guide with 13 hunt modules, step-by-step procedures, detection queries (Splunk, KQL, Sigma), YARA rules, and CISA-verified IOCs.

Download PDF - Free

13 Hunt Modules

Asset Inventory Validation

20-30 min • High

Self-Watching Persistence Detection

30-45 min • Critical

DNS-over-HTTPS C2 Detection

45 min • Critical

BrickStorm Binary Detection

30-45 min • Critical

PATH Environment Poisoning

20-30 min • High

VSOCK Inter-VM Tunneling

30 min • High

Boot Initialization Persistence

20-30 min • High

SOCKS Proxy Lateral Movement

30 min • High

VMware Account Analysis

30 min • High

Windows Variant Detection

30-45 min • High

Junction & GuestConduit Detection

20-30 min • High

Cloud Pivot Detection (Azure/M365)

30-45 min • High

Initial Access Vector Analysis

20-30 min • Critical

Detection Rules

Copy these queries to detect BRICKSTORM activity in your environment.

DNS-over-HTTPS from Infrastructure Servers

index=firewall OR index=proxy
(dest_ip IN ("8.8.8.8","8.8.4.4","1.1.1.1","1.0.0.1","9.9.9.9","9.9.9.11","149.112.112.11","45.90.28.160"))
dest_port=443
| search src_ip IN (vcenter*, esxi*, 10.0.1.*)
| stats count earliest(_time) as first_seen latest(_time) as last_seen by src_ip, dest_ip
| convert ctime(first_seen) ctime(last_seen)
| where count > 0

vCenter Pivot Activity Detection

index=firewall src_ip IN (vcenter*, esxi*)
| stats dc(dest_ip) as targets, dc(dest_port) as ports by src_ip
| where targets > 20 OR ports > 10

DNS-over-HTTPS from Infrastructure (Sentinel)

CommonSecurityLog
| where DestinationIP in ("8.8.8.8","8.8.4.4","1.1.1.1","1.0.0.1","9.9.9.9","9.9.9.11","149.112.112.11","45.90.28.160")
| where DestinationPort == 443
| where SourceIP startswith "10.0.1." // Adjust to your infrastructure subnet
| summarize ConnectionCount=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by SourceIP, DestinationIP
| order by ConnectionCount desc

Azure Sign-in from Infrastructure IPs

SigninLogs
| where TimeGenerated > ago(90d)
| where IPAddress in ("10.0.1.100", "10.0.1.101") // Your vCenter/ESXi IPs
| project TimeGenerated, UserPrincipalName, IPAddress, AppDisplayName, ResultType, Location
| order by TimeGenerated desc

BrickStorm File Name Detection

title: BrickStorm - Suspicious File Name in VMware Paths
id: INT-BRICKSTORM-002
status: experimental
description: Detects execution of files with BrickStorm-associated names
references:
    - https://www.cisa.gov/news-events/analysis-reports/ar25-338a
logsource:
    category: process_creation
    product: linux
detection:
    selection_name:
        Image|endswith:
            - '/vmsrc'
            - '/vnetd'
            - '/vmware-sphere'
            - '/updatemgr'
            - '/vami'
    selection_path:
        Image|contains:
            - '/etc/sysconfig/'
            - '/opt/vmware/sbin/'
    condition: selection_name or selection_path
level: critical

Self-Watching Environment Variable Detection

title: BrickStorm - Self-Watching Environment Variable
id: INT-BRICKSTORM-003
status: experimental
description: Detects BrickStorm self-watching persistence environment variables
references:
    - https://www.cisa.gov/news-events/analysis-reports/ar25-338a
logsource:
    category: process_creation
    product: linux
detection:
    selection:
        CommandLine|contains:
            - 'CZePMeGj'
            - 'FIOON'
    condition: selection
level: critical

Need More Detection Rules?

The full guide includes 20+ additional detection signatures, YARA rules, and hunt procedures.

Download Full Guide

Disclaimer: These detection rules are provided for defensive security purposes. Always test rules in a non-production environment before deployment. Rules may require tuning for your specific environment. Based on CISA AR25-338A.

Key Indicators (CISA Verified)

File Names

                        vmsrc, vnetd, if-up, viocli, vts, vmckd, vmware-sphere, updatemgr, vami
                    

File Paths

                        /etc/sysconfig/

                        /opt/vmware/sbin/

                        /usr/java/jre-vmware/bin/

                        /etc/applmgmt/appliance/

Network Indicators

                        TCP 8090 (Junction)

                        VSOCK 5555 (GuestConduit)

                        TCP 8300 (SPAWNSNAIL)

                        DoH: 1.1.1.1, 8.8.8.8, 9.9.9.9

Environment Variables

                        VMware → vmware-sphere

                        CZePMeGj → vami

                        FIOON → updatemgr

Full IOC list with SHA256 hashes available in the PDF download.

Related Intelligence

Threat Actor

UNC5221 / WARP PANDA

Full intelligence profile on the threat actor behind BRICKSTORM.

View Profile →

← Back to Threat Hunting Guides

🛡️

Automate Your Threat Hunting

BRACE continuously monitors for BRICKSTORM indicators and 100+ other threat actors. Get automated detection rules deployed to your SIEM.

Learn About BRACE Talk to an Expert