<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>T1562 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/t1562/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/t1562/feed.xml" rel="self" type="application/rss+xml"/><item><title>ESXi Lockdown Mode Disabled</title><link>https://feed.craftedsignal.io/briefs/2024-01-esxi-lockdown-disabled/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-esxi-lockdown-disabled/</guid><description>Detection of ESXi Lockdown Mode being disabled, potentially indicating attacker attempts to weaken host security controls for broader access, data exfiltration, or VM tampering.</description><content:encoded><![CDATA[<p>This brief focuses on detecting the disabling of Lockdown Mode on VMware ESXi hosts. Lockdown Mode restricts access to the ESXi host, limiting remote connections and hardening the system against unauthorized modifications. When an attacker disables Lockdown Mode, it expands the attack surface, allowing for broader remote access via SSH or the host client. This action typically occurs post-compromise, as attackers attempt to weaken security controls to facilitate lateral movement, data exfiltration, or VM tampering. This activity is particularly relevant for organizations running virtualized environments with sensitive data, as it indicates a significant compromise of hypervisor security. The provided detection identifies syslog messages related to Lockdown Mode being disabled.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Initial Access: The attacker gains initial access to a privileged account with administrative rights on the ESXi host.</li>
<li>Privilege Escalation: The attacker escalates privileges if necessary to gain the required permissions to modify ESXi host settings.</li>
<li>Discovery: The attacker uses commands or tools to discover the current Lockdown Mode status on the ESXi host.</li>
<li>Defense Evasion: The attacker disables Lockdown Mode on the ESXi host, weakening security controls and enabling broader remote access. This is achieved by using either the vSphere client or command line interface (CLI).</li>
<li>Lateral Movement: With Lockdown Mode disabled, the attacker can leverage gained access to move laterally to other VMs or ESXi hosts within the environment.</li>
<li>Credential Access: The attacker attempts to gather credentials stored on the ESXi host or within the VMs to further expand their access.</li>
<li>Data Exfiltration/VM Tampering: The attacker accesses sensitive data stored on the VMs or tampers with VM configurations to cause disruption or further compromise the environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation can lead to a complete compromise of the virtualized environment, potentially affecting hundreds or thousands of virtual machines and the data they contain. Disabling Lockdown Mode can lead to data exfiltration, ransomware deployment across VMs, and disruption of critical services. Organizations in all sectors relying on VMware ESXi are at risk. The financial impact can be substantial, including recovery costs, downtime, and potential regulatory fines.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Enable Syslog forwarding from all ESXi hosts to a central logging server to capture the events necessary for detection (VMWare ESXi Syslog).</li>
<li>Deploy the Sigma rule &quot;ESXi Lockdown Mode Disabled&quot; to your SIEM and tune for your specific environment to detect instances of Lockdown Mode being disabled.</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the user accounts and IP addresses involved in disabling Lockdown Mode (Sigma rule).</li>
<li>Implement multi-factor authentication (MFA) for all privileged accounts to reduce the risk of initial access.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>esxi</category><category>vmware</category><category>lockdown mode</category><category>defense evasion</category><category>t1562</category></item><item><title>ESXi Loghost Configuration Tampering</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-esxi-loghost-tampering/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-esxi-loghost-tampering/</guid><description>Attackers modify the ESXi host's syslog configuration to disrupt log forwarding, potentially evading detection and hindering incident response efforts after a compromise.</description><content:encoded><![CDATA[<p>This threat focuses on the malicious modification of syslog configurations on VMware ESXi hosts. An attacker with sufficient privileges changes the designated log host or directory settings. This action is designed to prevent security logs from reaching the intended security monitoring systems, effectively blinding defenders. This activity would typically occur post-compromise, as the attacker would need existing access to the ESXi host. Successful tampering allows attackers to operate with less risk of detection. This is especially relevant in environments targeted by ransomware groups like Black Basta.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains unauthorized access to the ESXi host, potentially through exploiting vulnerabilities or compromised credentials.</li>
<li>The attacker elevates privileges to enable modification of system configurations.</li>
<li>The attacker executes commands to modify the Syslog.global.logHost setting, redirecting logs to a malicious server or disabling logging entirely. This is done by setting a new value for Syslog.global.logHost using the <code>esxcli</code> command or direct configuration file manipulation.</li>
<li>Alternatively, the attacker modifies the Syslog.global.logdir setting, changing the directory where logs are stored, potentially making them inaccessible to legitimate monitoring tools.</li>
<li>The ESXi host processes the configuration change, and the syslog daemon starts forwarding logs (or not forwarding them) based on the new settings.</li>
<li>The attacker performs malicious activities on the compromised ESXi host, knowing that their actions are less likely to be detected due to the disabled or redirected logging.</li>
<li>The attacker attempts to remove or obfuscate evidence of the configuration changes to further evade detection.</li>
<li>The attacker proceeds with their objectives such as data exfiltration, lateral movement, or ransomware deployment, leveraging the reduced visibility.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful modification of the ESXi loghost configuration can severely impair an organization's ability to detect and respond to security incidents. With critical logs no longer being forwarded to central monitoring systems, malicious activity on the ESXi host goes unnoticed. This can lead to delayed incident response, increased dwell time for attackers, and greater damage from attacks such as ransomware. This is particularly impactful for organizations relying on ESXi for critical infrastructure.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule &quot;ESXi Loghost Config Tampering Detection&quot; to your SIEM to identify changes to the syslog loghost configuration (esxi_syslog).</li>
<li>Enable and monitor VMware ESXi Syslog to ensure proper log forwarding to a secure central log repository (VMWare ESXi Syslog).</li>
<li>Investigate any alerts generated by the Sigma rule, focusing on the source ESXi host (&quot;dest&quot; field in the Sigma rule) and the user account that made the changes.</li>
<li>Regularly audit ESXi host configurations to verify the integrity of syslog settings and detect unauthorized modifications.</li>
<li>Implement strong access control measures to restrict who can modify ESXi host configurations.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>esxi</category><category>vmware</category><category>syslog</category><category>defense-evasion</category><category>t1562</category></item></channel></rss>