<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Lockdown Mode - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/lockdown-mode/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/lockdown-mode/feed.xml" rel="self" type="application/rss+xml"/><item><title>ESXi Lockdown Mode Disabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-esxi-lockdown-disabled/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-esxi-lockdown-disabled/</guid><description>Detection of ESXi Lockdown Mode being disabled, potentially indicating attacker attempts to weaken host security controls for broader access, data exfiltration, or VM tampering.</description><content:encoded><![CDATA[<p>This brief focuses on detecting the disabling of Lockdown Mode on VMware ESXi hosts. Lockdown Mode restricts access to the ESXi host, limiting remote connections and hardening the system against unauthorized modifications. When an attacker disables Lockdown Mode, it expands the attack surface, allowing for broader remote access via SSH or the host client. This action typically occurs post-compromise, as attackers attempt to weaken security controls to facilitate lateral movement, data exfiltration, or VM tampering. This activity is particularly relevant for organizations running virtualized environments with sensitive data, as it indicates a significant compromise of hypervisor security. The provided detection identifies syslog messages related to Lockdown Mode being disabled.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: The attacker gains initial access to a privileged account with administrative rights on the ESXi host.</li>
<li>Privilege Escalation: The attacker escalates privileges if necessary to gain the required permissions to modify ESXi host settings.</li>
<li>Discovery: The attacker uses commands or tools to discover the current Lockdown Mode status on the ESXi host.</li>
<li>Defense Evasion: The attacker disables Lockdown Mode on the ESXi host, weakening security controls and enabling broader remote access. This is achieved by using either the vSphere client or command line interface (CLI).</li>
<li>Lateral Movement: With Lockdown Mode disabled, the attacker can leverage gained access to move laterally to other VMs or ESXi hosts within the environment.</li>
<li>Credential Access: The attacker attempts to gather credentials stored on the ESXi host or within the VMs to further expand their access.</li>
<li>Data Exfiltration/VM Tampering: The attacker accesses sensitive data stored on the VMs or tampers with VM configurations to cause disruption or further compromise the environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to a complete compromise of the virtualized environment, potentially affecting hundreds or thousands of virtual machines and the data they contain. Disabling Lockdown Mode can lead to data exfiltration, ransomware deployment across VMs, and disruption of critical services. Organizations in all sectors relying on VMware ESXi are at risk. The financial impact can be substantial, including recovery costs, downtime, and potential regulatory fines.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Syslog forwarding from all ESXi hosts to a central logging server to capture the events necessary for detection (VMWare ESXi Syslog).</li>
<li>Deploy the Sigma rule &quot;ESXi Lockdown Mode Disabled&quot; to your SIEM and tune for your specific environment to detect instances of Lockdown Mode being disabled.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the user accounts and IP addresses involved in disabling Lockdown Mode (Sigma rule).</li>
<li>Implement multi-factor authentication (MFA) for all privileged accounts to reduce the risk of initial access.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>esxi</category><category>vmware</category><category>lockdown mode</category><category>defense evasion</category><category>t1562</category></item></channel></rss>