{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lockdown-mode/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ESXi"],"_cs_severities":["high"],"_cs_tags":["esxi","vmware","lockdown mode","defense evasion","t1562"],"_cs_type":"advisory","_cs_vendors":["VMware"],"content_html":"\u003cp\u003eThis brief focuses on detecting the disabling of Lockdown Mode on VMware ESXi hosts. Lockdown Mode restricts access to the ESXi host, limiting remote connections and hardening the system against unauthorized modifications. When an attacker disables Lockdown Mode, it expands the attack surface, allowing for broader remote access via SSH or the host client. This action typically occurs post-compromise, as attackers attempt to weaken security controls to facilitate lateral movement, data exfiltration, or VM tampering. This activity is particularly relevant for organizations running virtualized environments with sensitive data, as it indicates a significant compromise of hypervisor security. The provided detection identifies syslog messages related to Lockdown Mode being disabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to a privileged account with administrative rights on the ESXi host.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges if necessary to gain the required permissions to modify ESXi host settings.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker uses commands or tools to discover the current Lockdown Mode status on the ESXi host.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker disables Lockdown Mode on the ESXi host, weakening security controls and enabling broader remote access. This is achieved by using either the vSphere client or command line interface (CLI).\u003c/li\u003e\n\u003cli\u003eLateral Movement: With Lockdown Mode disabled, the attacker can leverage gained access to move laterally to other VMs or ESXi hosts within the environment.\u003c/li\u003e\n\u003cli\u003eCredential Access: The attacker attempts to gather credentials stored on the ESXi host or within the VMs to further expand their access.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/VM Tampering: The attacker accesses sensitive data stored on the VMs or tampers with VM configurations to cause disruption or further compromise the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a complete compromise of the virtualized environment, potentially affecting hundreds or thousands of virtual machines and the data they contain. Disabling Lockdown Mode can lead to data exfiltration, ransomware deployment across VMs, and disruption of critical services. Organizations in all sectors relying on VMware ESXi are at risk. The financial impact can be substantial, including recovery costs, downtime, and potential regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Syslog forwarding from all ESXi hosts to a central logging server to capture the events necessary for detection (VMWare ESXi Syslog).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;ESXi Lockdown Mode Disabled\u0026quot; to your SIEM and tune for your specific environment to detect instances of Lockdown Mode being disabled.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user accounts and IP addresses involved in disabling Lockdown Mode (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all privileged accounts to reduce the risk of initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-esxi-lockdown-disabled/","summary":"Detection of ESXi Lockdown Mode being disabled, potentially indicating attacker attempts to weaken host security controls for broader access, data exfiltration, or VM tampering.","title":"ESXi Lockdown Mode Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-lockdown-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed - Lockdown Mode","version":"https://jsonfeed.org/version/1.1"}