{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/t1562/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ESXi"],"_cs_severities":["high"],"_cs_tags":["esxi","vmware","lockdown mode","defense evasion","t1562"],"_cs_type":"advisory","_cs_vendors":["VMware"],"content_html":"\u003cp\u003eThis brief focuses on detecting the disabling of Lockdown Mode on VMware ESXi hosts. Lockdown Mode restricts access to the ESXi host, limiting remote connections and hardening the system against unauthorized modifications. When an attacker disables Lockdown Mode, it expands the attack surface, allowing for broader remote access via SSH or the host client. This action typically occurs post-compromise, as attackers attempt to weaken security controls to facilitate lateral movement, data exfiltration, or VM tampering. This activity is particularly relevant for organizations running virtualized environments with sensitive data, as it indicates a significant compromise of hypervisor security. The provided detection identifies syslog messages related to Lockdown Mode being disabled.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to a privileged account with administrative rights on the ESXi host.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges if necessary to gain the required permissions to modify ESXi host settings.\u003c/li\u003e\n\u003cli\u003eDiscovery: The attacker uses commands or tools to discover the current Lockdown Mode status on the ESXi host.\u003c/li\u003e\n\u003cli\u003eDefense Evasion: The attacker disables Lockdown Mode on the ESXi host, weakening security controls and enabling broader remote access. This is achieved by using either the vSphere client or command line interface (CLI).\u003c/li\u003e\n\u003cli\u003eLateral Movement: With Lockdown Mode disabled, the attacker can leverage gained access to move laterally to other VMs or ESXi hosts within the environment.\u003c/li\u003e\n\u003cli\u003eCredential Access: The attacker attempts to gather credentials stored on the ESXi host or within the VMs to further expand their access.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/VM Tampering: The attacker accesses sensitive data stored on the VMs or tampers with VM configurations to cause disruption or further compromise the environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to a complete compromise of the virtualized environment, potentially affecting hundreds or thousands of virtual machines and the data they contain. Disabling Lockdown Mode can lead to data exfiltration, ransomware deployment across VMs, and disruption of critical services. Organizations in all sectors relying on VMware ESXi are at risk. The financial impact can be substantial, including recovery costs, downtime, and potential regulatory fines.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Syslog forwarding from all ESXi hosts to a central logging server to capture the events necessary for detection (VMWare ESXi Syslog).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;ESXi Lockdown Mode Disabled\u0026quot; to your SIEM and tune for your specific environment to detect instances of Lockdown Mode being disabled.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the user accounts and IP addresses involved in disabling Lockdown Mode (Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all privileged accounts to reduce the risk of initial access.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-esxi-lockdown-disabled/","summary":"Detection of ESXi Lockdown Mode being disabled, potentially indicating attacker attempts to weaken host security controls for broader access, data exfiltration, or VM tampering.","title":"ESXi Lockdown Mode Disabled","url":"https://feed.craftedsignal.io/briefs/2024-01-esxi-lockdown-disabled/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["ESXi"],"_cs_severities":["high"],"_cs_tags":["esxi","vmware","syslog","defense-evasion","t1562"],"_cs_type":"advisory","_cs_vendors":["VMware"],"content_html":"\u003cp\u003eThis threat focuses on the malicious modification of syslog configurations on VMware ESXi hosts. An attacker with sufficient privileges changes the designated log host or directory settings. This action is designed to prevent security logs from reaching the intended security monitoring systems, effectively blinding defenders. This activity would typically occur post-compromise, as the attacker would need existing access to the ESXi host. Successful tampering allows attackers to operate with less risk of detection. This is especially relevant in environments targeted by ransomware groups like Black Basta.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the ESXi host, potentially through exploiting vulnerabilities or compromised credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker elevates privileges to enable modification of system configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands to modify the Syslog.global.logHost setting, redirecting logs to a malicious server or disabling logging entirely. This is done by setting a new value for Syslog.global.logHost using the \u003ccode\u003eesxcli\u003c/code\u003e command or direct configuration file manipulation.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker modifies the Syslog.global.logdir setting, changing the directory where logs are stored, potentially making them inaccessible to legitimate monitoring tools.\u003c/li\u003e\n\u003cli\u003eThe ESXi host processes the configuration change, and the syslog daemon starts forwarding logs (or not forwarding them) based on the new settings.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious activities on the compromised ESXi host, knowing that their actions are less likely to be detected due to the disabled or redirected logging.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to remove or obfuscate evidence of the configuration changes to further evade detection.\u003c/li\u003e\n\u003cli\u003eThe attacker proceeds with their objectives such as data exfiltration, lateral movement, or ransomware deployment, leveraging the reduced visibility.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful modification of the ESXi loghost configuration can severely impair an organization's ability to detect and respond to security incidents. With critical logs no longer being forwarded to central monitoring systems, malicious activity on the ESXi host goes unnoticed. This can lead to delayed incident response, increased dwell time for attackers, and greater damage from attacks such as ransomware. This is particularly impactful for organizations relying on ESXi for critical infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;ESXi Loghost Config Tampering Detection\u0026quot; to your SIEM to identify changes to the syslog loghost configuration (esxi_syslog).\u003c/li\u003e\n\u003cli\u003eEnable and monitor VMware ESXi Syslog to ensure proper log forwarding to a secure central log repository (VMWare ESXi Syslog).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the source ESXi host (\u0026quot;dest\u0026quot; field in the Sigma rule) and the user account that made the changes.\u003c/li\u003e\n\u003cli\u003eRegularly audit ESXi host configurations to verify the integrity of syslog settings and detect unauthorized modifications.\u003c/li\u003e\n\u003cli\u003eImplement strong access control measures to restrict who can modify ESXi host configurations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-esxi-loghost-tampering/","summary":"Attackers modify the ESXi host's syslog configuration to disrupt log forwarding, potentially evading detection and hindering incident response efforts after a compromise.","title":"ESXi Loghost Configuration Tampering","url":"https://feed.craftedsignal.io/briefs/2024-01-03-esxi-loghost-tampering/"}],"language":"en","title":"CraftedSignal Threat Feed - T1562","version":"https://jsonfeed.org/version/1.1"}