{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/lockdown_mode/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["ESXi","Splunk Enterprise","Splunk Enterprise Security","Splunk Cloud"],"_cs_severities":["high"],"_cs_tags":["esxi","vmware","lockdown_mode","security_controls"],"_cs_type":"advisory","_cs_vendors":["VMWare","Splunk"],"content_html":"\u003cp\u003eThis detection identifies when Lockdown Mode is disabled on an ESXi host. Threat actors might disable this mode to weaken host security controls, allowing broader remote access via SSH or the host client. This action could be a precursor to further malicious activities such as data exfiltration, lateral movement within the environment, or tampering with virtual machines. Identifying this activity is crucial as it signifies a potential compromise of the ESXi host, which could lead to significant disruption and data loss. The detection logic is based on ESXi Syslog data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to the ESXi host, potentially through compromised credentials or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ESXi host.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a command to disable Lockdown Mode. This may be done through the vSphere client or directly via SSH if enabled.\u003c/li\u003e\n\u003cli\u003eThe ESXi host logs the event of Lockdown Mode being disabled within its syslog.\u003c/li\u003e\n\u003cli\u003eWith Lockdown Mode disabled, the attacker gains broader access to the host\u0026rsquo;s management interfaces.\u003c/li\u003e\n\u003cli\u003eThe attacker performs reconnaissance activities, gathering information about the host and its virtual machines.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally to other systems within the environment, leveraging the compromised ESXi host.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or manipulates virtual machines, achieving their final objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eDisabling Lockdown Mode can lead to a complete compromise of the ESXi host and the virtual machines it manages. This can result in data exfiltration, data corruption, or the deployment of ransomware on the virtual machines. Depending on the environment, this can affect hundreds or thousands of virtual machines, potentially disrupting critical business operations. The \u0026ldquo;Black Basta Ransomware\u0026rdquo; analytic story is related to this threat.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eConfigure ESXi hosts to forward syslog output to a SIEM or log aggregation system to enable detection of this activity, as detailed in the \u0026ldquo;How to Implement\u0026rdquo; section of the source.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eESXi Lockdown Mode Disabled\u003c/code\u003e to your SIEM to detect instances where Lockdown Mode is disabled on ESXi hosts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule \u003ccode\u003eESXi Lockdown Mode Disabled\u003c/code\u003e to determine the root cause and scope of the potential compromise.\u003c/li\u003e\n\u003cli\u003eMonitor ESXi syslog for messages indicating changes to host security configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-esxi-lockdown-disabled/","summary":"The disabling of Lockdown Mode on an ESXi host may indicate a threat actor attempting to weaken host security controls to enable broader remote access for data exfiltration, lateral movement, or VM tampering.","title":"ESXi Lockdown Mode Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-lockdown-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — Lockdown_mode","version":"https://jsonfeed.org/version/1.1"}