ESXi Lockdown Mode Disabled

This detection identifies when Lockdown Mode is disabled on an ESXi host. Threat actors might disable this mode to weaken host security controls, allowing broader remote access via SSH or the host client. This action could be a precursor to further malicious activities such as data exfiltration, lateral movement within the environment, or tampering with virtual machines. Identifying this activity is crucial as it signifies a potential compromise of the ESXi host, which could lead to significant disruption and data loss. The detection logic is based on ESXi Syslog data.

Attack Chain

1. An attacker gains initial access to the ESXi host, potentially through compromised credentials or exploiting a vulnerability.
2. The attacker authenticates to the ESXi host.
3. The attacker executes a command to disable Lockdown Mode. This may be done through the vSphere client or directly via SSH if enabled.
4. The ESXi host logs the event of Lockdown Mode being disabled within its syslog.
5. With Lockdown Mode disabled, the attacker gains broader access to the host’s management interfaces.
6. The attacker performs reconnaissance activities, gathering information about the host and its virtual machines.
7. The attacker moves laterally to other systems within the environment, leveraging the compromised ESXi host.
8. The attacker exfiltrates sensitive data or manipulates virtual machines, achieving their final objectives.

Impact

Disabling Lockdown Mode can lead to a complete compromise of the ESXi host and the virtual machines it manages. This can result in data exfiltration, data corruption, or the deployment of ransomware on the virtual machines. Depending on the environment, this can affect hundreds or thousands of virtual machines, potentially disrupting critical business operations. The “Black Basta Ransomware” analytic story is related to this threat.

Recommendation

• Configure ESXi hosts to forward syslog output to a SIEM or log aggregation system to enable detection of this activity, as detailed in the “How to Implement” section of the source.
• Deploy the Sigma rule ESXi Lockdown Mode Disabled to your SIEM to detect instances where Lockdown Mode is disabled on ESXi hosts.
• Investigate any alerts generated by the Sigma rule ESXi Lockdown Mode Disabled to determine the root cause and scope of the potential compromise.
• Monitor ESXi syslog for messages indicating changes to host security configurations.